Описание
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
Отчет
The "AuthType Digest" directive is not enabled in the default httpd configuration as shipped with Red Hat Enterprise Linux, and needs to be explicitly enabled. Therefore this flaw has no impact on the default versions of the httpd package as shipped with Red Hat Enterprise Linux. Also upstream discourages the use of mod_auth_digest because of its inherent security weaknesses and recommends the use of mod_ssl.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | httpd | Will not fix | ||
| Red Hat Enterprise Linux 6 | httpd | Will not fix | ||
| Red Hat Enterprise Linux 8 | httpd | Not affected | ||
| Red Hat JBoss Enterprise Web Server 2 | httpd | Will not fix | ||
| Red Hat JBoss Web Server 3 | httpd | Not affected | ||
| Red Hat Mobile Application Platform 4 | rhmap-httpd-docker | Not affected | ||
| JBoss Core Services on RHEL 6 | jbcs-httpd24 | Fixed | RHSA-2019:0367 | 18.02.2019 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-apache-commons-daemon-jsvc | Fixed | RHSA-2019:0367 | 18.02.2019 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-apr | Fixed | RHSA-2019:0367 | 18.02.2019 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-apr-util | Fixed | RHSA-2019:0367 | 18.02.2019 |
Показывать по
Дополнительная информация
Статус:
4.2 Medium
CVSS3
Связанные уязвимости
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authen ...
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
4.2 Medium
CVSS3