CVE-2017-9798

18.09.2017, 15:29

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
apache	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
apache	http_server	𝑥 ≤ 2.2.34
apache	http_server	2.4.0
apache	http_server	2.4.1
apache	http_server	2.4.2
apache	http_server	2.4.3
apache	http_server	2.4.4
apache	http_server	2.4.6
apache	http_server	2.4.7
apache	http_server	2.4.9
apache	http_server	2.4.10
apache	http_server	2.4.12
apache	http_server	2.4.16
apache	http_server	2.4.17
apache	http_server	2.4.18
apache	http_server	2.4.20
apache	http_server	2.4.23
apache	http_server	2.4.25
apache	http_server	2.4.26
apache	http_server	2.4.27
debian	debian_linux	7.0
debian	debian_linux	8.0
debian	debian_linux	9.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

apache2

bullseye	2.4.62-1~deb11u1 fixed
bullseye (security)	2.4.62-1~deb11u2 fixed
bookworm	2.4.62-1~deb12u1 fixed
bookworm (security)	2.4.62-1~deb12u2 fixed
sid	2.4.62-3 fixed
trixie	2.4.62-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

apache2

artful	Fixed 2.4.27-2ubuntu3 released
zesty	Fixed 2.4.25-3ubuntu2.3 released
xenial	Fixed 2.4.18-2ubuntu3.5 released
trusty	Fixed 2.4.7-1ubuntu4.18 released

Known Exploits!

Common Weakness Enumeration

CWE-416 - Use After Free
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

References

http://openwall.com/lists/oss-security/2017/09/18/2

http://www.debian.org/security/2017/dsa-3980

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/100872

http://www.securityfocus.com/bid/105598

http://www.securitytracker.com/id/1039387

https://access.redhat.com/errata/RHSA-2017:2882

https://access.redhat.com/errata/RHSA-2017:2972

https://access.redhat.com/errata/RHSA-2017:3018

https://access.redhat.com/errata/RHSA-2017:3113

https://access.redhat.com/errata/RHSA-2017:3114

https://access.redhat.com/errata/RHSA-2017:3193

https://access.redhat.com/errata/RHSA-2017:3194

https://access.redhat.com/errata/RHSA-2017:3195

https://access.redhat.com/errata/RHSA-2017:3239

https://access.redhat.com/errata/RHSA-2017:3240

https://access.redhat.com/errata/RHSA-2017:3475

https://access.redhat.com/errata/RHSA-2017:3476

https://access.redhat.com/errata/RHSA-2017:3477

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a

https://github.com/hannob/optionsbleed

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E

https://security-tracker.debian.org/tracker/CVE-2017-9798

https://security.gentoo.org/glsa/201710-32

https://security.netapp.com/advisory/ntap-20180601-0003/

https://support.apple.com/HT208331

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

https://www.exploit-db.com/exploits/42745/

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.tenable.com/security/tns-2019-09

http://openwall.com/lists/oss-security/2017/09/18/2

http://www.debian.org/security/2017/dsa-3980

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/100872

http://www.securityfocus.com/bid/105598

http://www.securitytracker.com/id/1039387

https://access.redhat.com/errata/RHSA-2017:2882

https://access.redhat.com/errata/RHSA-2017:2972

https://access.redhat.com/errata/RHSA-2017:3018

https://access.redhat.com/errata/RHSA-2017:3113

https://access.redhat.com/errata/RHSA-2017:3114

https://access.redhat.com/errata/RHSA-2017:3193

https://access.redhat.com/errata/RHSA-2017:3194

https://access.redhat.com/errata/RHSA-2017:3195

https://access.redhat.com/errata/RHSA-2017:3239

https://access.redhat.com/errata/RHSA-2017:3240

https://access.redhat.com/errata/RHSA-2017:3475

https://access.redhat.com/errata/RHSA-2017:3476

https://access.redhat.com/errata/RHSA-2017:3477

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a

https://github.com/hannob/optionsbleed

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E

https://security-tracker.debian.org/tracker/CVE-2017-9798

https://security.gentoo.org/glsa/201710-32

https://security.netapp.com/advisory/ntap-20180601-0003/

https://support.apple.com/HT208331

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

https://www.exploit-db.com/exploits/42745/

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.tenable.com/security/tns-2019-09