Issued:
2017-12-15
Updated:
2017-12-15

RHSA-2017:3476 - Security Advisory

Synopsis

Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for JBoss Core Services on RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.

This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613)
  • It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167)
  • A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)
  • A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679)
  • A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)

Red Hat would like to thank Hanno Böck for reporting CVE-2017-9798.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • Red Hat JBoss Core Services 1 for RHEL 7 x86_64
  • Red Hat JBoss Core Services 1 for RHEL 7 ppc64

Fixes

  • BZ - 1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
  • BZ - 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
  • BZ - 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
  • BZ - 1490344 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)
  • BZ - 1506523 - CVE-2017-12613 apr: Out-of-bounds array deref in apr_time_exp*() functions

Red Hat JBoss Core Services 1 for RHEL 7

SRPM
jbcs-httpd24-httpd-2.4.23-125.jbcs.el7.src.rpm SHA-256: 35e2078eb107c4a1fc5462da5f5ff6121978c5497bd0314e03821e2eb87a1aee
jbcs-httpd24-mod_bmx-0.9.6-15.GA.jbcs.el7.src.rpm SHA-256: 3a3e72d38217f4e0456b16f10911d38839dc9290c9139c0e66ba74747b3fe2df
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_1.jbcs.el7.src.rpm SHA-256: 302f51a1600bb58b06dbcc8cd689ad666fe43db2fdcc60ef2e78f2bc4b7e7575
x86_64
jbcs-httpd24-httpd-2.4.23-125.jbcs.el7.x86_64.rpm SHA-256: f24547fb3f75054298313d95616569436c19861f99d2fb85b627e0e20b30cc6a
jbcs-httpd24-httpd-debuginfo-2.4.23-125.jbcs.el7.x86_64.rpm SHA-256: f2f5c82086cce68d5b90ac7b9672ef56f9fc73f2da701e69b3d45d9d0d0c6619
jbcs-httpd24-httpd-devel-2.4.23-125.jbcs.el7.x86_64.rpm SHA-256: c84504fa86b2818830ef243ccc7ffc6734ea741ea35dc59f7468ae7c634e5efc
jbcs-httpd24-httpd-libs-2.4.23-125.jbcs.el7.x86_64.rpm SHA-256: a1828883426cee3526bae58f4248cbc733caa18b08bbdb39168528f21751aca8
jbcs-httpd24-httpd-manual-2.4.23-125.jbcs.el7.noarch.rpm SHA-256: e7b31ab18b7b89bb7153062fbc2b45d3b55cffb181da6db14248ff2203cb7898
jbcs-httpd24-httpd-selinux-2.4.23-125.jbcs.el7.x86_64.rpm SHA-256: 7d3f04333ea24309b5f85d442375efe96b4edfd7a751b96a23ac8ddc1b21cc4f
jbcs-httpd24-httpd-tools-2.4.23-125.jbcs.el7.x86_64.rpm SHA-256: a66fd6f163809d3bc8d731eb565893a2ded5be0c6972ea7fcc4c56e6cca2f03d
jbcs-httpd24-mod_bmx-0.9.6-15.GA.jbcs.el7.x86_64.rpm SHA-256: bd65b653fcd7238ac51e612ee56716007529d94b531cc3f1eb86dbb6de19d129
jbcs-httpd24-mod_bmx-debuginfo-0.9.6-15.GA.jbcs.el7.x86_64.rpm SHA-256: 6141c7000c233834126a24a440f011904c89d0159031f1c35c1c43f89f0f53a1
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_1.jbcs.el7.x86_64.rpm SHA-256: 31f2538b0aa93116f2475325520c4c07b0d278c13707d85c2bca2d2deda923ed
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_1.jbcs.el7.x86_64.rpm SHA-256: 48bc1517b6efe981e2f63af65cf79357b5ae37b9d35495b2d1507f8c39252ce3
jbcs-httpd24-mod_ldap-2.4.23-125.jbcs.el7.x86_64.rpm SHA-256: 56c1a2f7e68f4369d19bf6d26439f34a5d7fe4328cdbbb6a5741e2d3d20a0376
jbcs-httpd24-mod_proxy_html-2.4.23-125.jbcs.el7.x86_64.rpm SHA-256: 158d98b425e8f4a874700baffefb242f02b42afe5f66b6cc70726595705e7a84
jbcs-httpd24-mod_session-2.4.23-125.jbcs.el7.x86_64.rpm SHA-256: 4b03e02e6fc0f0008c5e9c90a03ec5a6f3be3214ff0d878aeacc121fe6d49565
jbcs-httpd24-mod_ssl-2.4.23-125.jbcs.el7.x86_64.rpm SHA-256: 9ef88a61dad07f4946b8cc164d39a56174c017524f526b31d028046630f9c0e7
ppc64
jbcs-httpd24-httpd-2.4.23-125.jbcs.el7.ppc64.rpm SHA-256: a800ded8f23e2f1c75c9f4dc8faf423d196de0c7b545ae2b45db5aeb1842f1a1
jbcs-httpd24-httpd-debuginfo-2.4.23-125.jbcs.el7.ppc64.rpm SHA-256: 9c6509b05aaa9c697d610997721f6de18f112161c3e53e8d84d32a559d5adf02
jbcs-httpd24-httpd-devel-2.4.23-125.jbcs.el7.ppc64.rpm SHA-256: 4bd0bbb1175f0fdb88aeab277e721cf891620d7fbd90f4f6dcabcfd2fceafee1
jbcs-httpd24-httpd-libs-2.4.23-125.jbcs.el7.ppc64.rpm SHA-256: 3250c7c7009311cb2aa91a8a36211b27110c916ab9feb1c7d488c1a17c3751c8
jbcs-httpd24-httpd-manual-2.4.23-125.jbcs.el7.noarch.rpm SHA-256: e7b31ab18b7b89bb7153062fbc2b45d3b55cffb181da6db14248ff2203cb7898
jbcs-httpd24-httpd-selinux-2.4.23-125.jbcs.el7.ppc64.rpm SHA-256: bf44a4b274f044acf8ab64d87341c580e286331b546ec38168a31d5f710343a1
jbcs-httpd24-httpd-tools-2.4.23-125.jbcs.el7.ppc64.rpm SHA-256: f4342f0651ad8749de333deb77ede2aa9c09e02121c4b60d3a6229ea9b325f17
jbcs-httpd24-mod_bmx-0.9.6-15.GA.jbcs.el7.ppc64.rpm SHA-256: ad6ae44fe3c57bcf3482182da6ec0706e47cdf1fc94b5e85a890af0dba728c23
jbcs-httpd24-mod_bmx-debuginfo-0.9.6-15.GA.jbcs.el7.ppc64.rpm SHA-256: d0bb53ef341f299bae557c0aaef758bf1ec9c6dd0fcdbbfc74f45a04be1cf864
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_1.jbcs.el7.ppc64.rpm SHA-256: 49f959e8b40624ec3a130ae7b06415b2d87b9feda79b850f9f66a4b48055113b
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_1.jbcs.el7.ppc64.rpm SHA-256: 398a580f931e22d9bba61c92b3229f3bbf266e37f690b749125018a11d612bcd
jbcs-httpd24-mod_ldap-2.4.23-125.jbcs.el7.ppc64.rpm SHA-256: 1700c3f9f350fa036485aee74efdd5534aa6fed7c67dd37ab575336ada305853
jbcs-httpd24-mod_proxy_html-2.4.23-125.jbcs.el7.ppc64.rpm SHA-256: bcaf0c4d1957a6178322d0fece3bd7ba6919a741f6445599f6cd48a0fec0c2d0
jbcs-httpd24-mod_session-2.4.23-125.jbcs.el7.ppc64.rpm SHA-256: 680d13ab7109a5ef73670fabb3d7ac937612afb3a40d19495aeaeb62ebe14a28
jbcs-httpd24-mod_ssl-2.4.23-125.jbcs.el7.ppc64.rpm SHA-256: 01a0c6ac69543ea5939dacd4ac4f18b55097e79396493d6500d66212ad46e54c

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.