Issued:
2017-12-15
Updated:
2017-12-15

RHSA-2017:3477 - Security Advisory

Synopsis

Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for JBoss Core Services on RHEL 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.

This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 3 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • An out-of-bounds array dereference was found in apr_time_exp_get(). An attacker could abuse an unvalidated usage of this function to cause a denial of service or potentially lead to data leak. (CVE-2017-12613)
  • It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167)
  • A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A remote attacker could use this flaw to cause an httpd child process to crash if another module used by httpd called a certain API function during the processing of an HTTPS request. (CVE-2017-3169)
  • A buffer over-read flaw was found in the httpd's mod_mime module. A user permitted to modify httpd's MIME configuration could use this flaw to cause httpd child process to crash. (CVE-2017-7679)
  • A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)

Red Hat would like to thank Hanno Böck for reporting CVE-2017-9798.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • Red Hat JBoss Core Services 1 for RHEL 6 x86_64
  • Red Hat JBoss Core Services 1 for RHEL 6 ppc64
  • Red Hat JBoss Core Services 1 for RHEL 6 i386

Fixes

  • BZ - 1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
  • BZ - 1463197 - CVE-2017-3169 httpd: mod_ssl NULL pointer dereference
  • BZ - 1463207 - CVE-2017-7679 httpd: mod_mime buffer overread
  • BZ - 1490344 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)
  • BZ - 1506523 - CVE-2017-12613 apr: Out-of-bounds array deref in apr_time_exp*() functions

Red Hat JBoss Core Services 1 for RHEL 6

SRPM
jbcs-httpd24-httpd-2.4.23-125.jbcs.el6.src.rpm SHA-256: 5d93e8d3796f096e0cee21f331dd9644001125c9f948ec512f2df2ecd78b3dcb
jbcs-httpd24-mod_bmx-0.9.6-15.GA.jbcs.el6.src.rpm SHA-256: c9e486ab5e88db89205115a9b573c79abd282feaa706d8323778d6b35b7458c4
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_1.jbcs.el6.src.rpm SHA-256: 87452bd237969b46545e6ddc5f1ae9ce7e3c56bc8655802160925401344afb69
x86_64
jbcs-httpd24-httpd-2.4.23-125.jbcs.el6.x86_64.rpm SHA-256: dfdb59569320f6849ed858d1be56704059860d0137aa96bf04702655410a7e61
jbcs-httpd24-httpd-debuginfo-2.4.23-125.jbcs.el6.x86_64.rpm SHA-256: da3bc700badb59bfca78aafb055f45e2fb73a4bc716100c4ef3cc9827443b793
jbcs-httpd24-httpd-devel-2.4.23-125.jbcs.el6.x86_64.rpm SHA-256: d3c01dbcc7fd7b956dda67df88e7401fe4d41723ddac786cdb34345e60ae48b0
jbcs-httpd24-httpd-libs-2.4.23-125.jbcs.el6.x86_64.rpm SHA-256: d8bafa10159e7a80c2ca7625c219870c75543ae19c6ea8d35e3051eccc463817
jbcs-httpd24-httpd-manual-2.4.23-125.jbcs.el6.noarch.rpm SHA-256: b960d6b4bab27a681d890aab2c8e8cdc39f660627297a015efa4cc0a8616df17
jbcs-httpd24-httpd-selinux-2.4.23-125.jbcs.el6.x86_64.rpm SHA-256: 6fc25745ea98cd878daa24e66ebaba33d85ba49bd70e42064149f51ba66ff23d
jbcs-httpd24-httpd-tools-2.4.23-125.jbcs.el6.x86_64.rpm SHA-256: 72942f01751df9d0c6eb0e1126aea574de65c7d3fea6048aeed75dd47ee8ebec
jbcs-httpd24-mod_bmx-0.9.6-15.GA.jbcs.el6.x86_64.rpm SHA-256: ae0c8f20f377f7eec05ee643ba965c6dbd7eb49d4ffc6a74b6ebac059253fd7a
jbcs-httpd24-mod_bmx-debuginfo-0.9.6-15.GA.jbcs.el6.x86_64.rpm SHA-256: 0564132ef611cf6d993fcefc1604f0c3963a2dc6c5cf8f16bfb805bb55189868
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_1.jbcs.el6.x86_64.rpm SHA-256: 175cc481d48e8fd1c7b3fcf446c867bbf3d411b9ed54ff04518e2e06c89655e1
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_1.jbcs.el6.x86_64.rpm SHA-256: 1c94085b28397d0be39e988c5f95064ecbac383c83c3570c752a4acf1188d8fb
jbcs-httpd24-mod_ldap-2.4.23-125.jbcs.el6.x86_64.rpm SHA-256: fe002845019d9dd2ad89837b760fba1669f42a690fc07584d46c927478a6aaea
jbcs-httpd24-mod_proxy_html-2.4.23-125.jbcs.el6.x86_64.rpm SHA-256: b0220f62fe0d5c56640332e37e11457049b43d2901458ab07e298cec88fe6dee
jbcs-httpd24-mod_session-2.4.23-125.jbcs.el6.x86_64.rpm SHA-256: faae4a6bed90417a790a713c6662c36175c83a463c1d346f0519234fbeb13db0
jbcs-httpd24-mod_ssl-2.4.23-125.jbcs.el6.x86_64.rpm SHA-256: 79305de3b909a67e8c7868e815f9597798e06b041a10320a4b5d607be6f9b842
ppc64
jbcs-httpd24-httpd-2.4.23-125.jbcs.el6.ppc64.rpm SHA-256: 85e6f5cedece3c3b2633104a5953a754d66d468818abb6339e3d17b248c9d2ef
jbcs-httpd24-httpd-debuginfo-2.4.23-125.jbcs.el6.ppc64.rpm SHA-256: 1fec57d476c6c0063e604b025b93a3f147c43c581d1626f3a823bfd825d01075
jbcs-httpd24-httpd-devel-2.4.23-125.jbcs.el6.ppc64.rpm SHA-256: ec4378979d97ac30b427f9d3e355b0e04e0df7cf38745fdeede50504c1ae94e6
jbcs-httpd24-httpd-libs-2.4.23-125.jbcs.el6.ppc64.rpm SHA-256: 06b592264ffa59123f5b94737d065b1c229e3fc6dbf78287a2854479df2345ed
jbcs-httpd24-httpd-manual-2.4.23-125.jbcs.el6.noarch.rpm SHA-256: b960d6b4bab27a681d890aab2c8e8cdc39f660627297a015efa4cc0a8616df17
jbcs-httpd24-httpd-selinux-2.4.23-125.jbcs.el6.ppc64.rpm SHA-256: 551d4af8758d3fbfb1d645fc286bad9a4533b7597b5d02b67541104e6fef142e
jbcs-httpd24-httpd-tools-2.4.23-125.jbcs.el6.ppc64.rpm SHA-256: c95e41a47f473bcfc2524e5432282f1424d3411fa955a93b57ac5394ebffc0a3
jbcs-httpd24-mod_bmx-0.9.6-15.GA.jbcs.el6.ppc64.rpm SHA-256: 357bd4f03dcf2975b0ea63a726eed15822ad4dc95774483d28440f82973c8202
jbcs-httpd24-mod_bmx-debuginfo-0.9.6-15.GA.jbcs.el6.ppc64.rpm SHA-256: 9c322162b9042e803de1f1a3f8831b4c0159e71cf55e7b3cba48264c1794d69d
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_1.jbcs.el6.ppc64.rpm SHA-256: 125b949afad3751e3410b56b6ddc573bc0c23627a090f011ad447aa4085cfdd8
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_1.jbcs.el6.ppc64.rpm SHA-256: e7ad723bce583ee9d8fafe5ba8284f24ad8d0e65bc4a6abb507f716626734c39
jbcs-httpd24-mod_ldap-2.4.23-125.jbcs.el6.ppc64.rpm SHA-256: 67756be9c338176ff90853f04a68ff0cf634e98a7808f3570070b6e6c3dda4ff
jbcs-httpd24-mod_proxy_html-2.4.23-125.jbcs.el6.ppc64.rpm SHA-256: 787a78cf7ee0fa6acd248815abb73f122786132bbf25bf49bdf93af8aea8bfb7
jbcs-httpd24-mod_session-2.4.23-125.jbcs.el6.ppc64.rpm SHA-256: fd6acaf7ef3557b515aa490510936b2f01811fa83b8d08a8790ce6661c2b844f
jbcs-httpd24-mod_ssl-2.4.23-125.jbcs.el6.ppc64.rpm SHA-256: 64122643b8c6fce94f9baf9c74f9b6fc7eadc1a6b41f8625a7c2f1898a49b9ba
i386
jbcs-httpd24-httpd-2.4.23-125.jbcs.el6.i686.rpm SHA-256: 38d47cd2b32b2f5c69bee7e283d4f98f78a59532241e12d30b892f11f06dc099
jbcs-httpd24-httpd-debuginfo-2.4.23-125.jbcs.el6.i686.rpm SHA-256: 16da7deb97d3b06a1c6d8078a96b1316b39c6e5a5b92711ee99467beb2a6ad29
jbcs-httpd24-httpd-devel-2.4.23-125.jbcs.el6.i686.rpm SHA-256: a5b2af67f85c8792593b124ec1a00a9ff52f7ed94e78d84d832d464a727de82c
jbcs-httpd24-httpd-libs-2.4.23-125.jbcs.el6.i686.rpm SHA-256: 8eee793f3168aec78bd7972528a965067ed8590ae581d121b09d3f114890a20a
jbcs-httpd24-httpd-manual-2.4.23-125.jbcs.el6.noarch.rpm SHA-256: b960d6b4bab27a681d890aab2c8e8cdc39f660627297a015efa4cc0a8616df17
jbcs-httpd24-httpd-selinux-2.4.23-125.jbcs.el6.i686.rpm SHA-256: 26bcdef4adc84795306d406494763133d2c49782c5bb698ba9f129b7028aade8
jbcs-httpd24-httpd-tools-2.4.23-125.jbcs.el6.i686.rpm SHA-256: 18e519bbce421b7210677c32595d87cc89dbf9660da6be04da900bea57753335
jbcs-httpd24-mod_bmx-0.9.6-15.GA.jbcs.el6.i686.rpm SHA-256: b7bd94f7229f2db5a1394ef947d70ef0c40e850a3b8757a96e2394107828f680
jbcs-httpd24-mod_bmx-debuginfo-0.9.6-15.GA.jbcs.el6.i686.rpm SHA-256: 62acb2aac3fd1001c47cdd7c160a2ca536a8bddc285fe7a90bef0cd40bd93261
jbcs-httpd24-mod_cluster-native-1.3.8-1.Final_redhat_1.jbcs.el6.i686.rpm SHA-256: a7433247a5607c56cfbf41ce1f59f43f15a3645142b306175f990c4319d9b2e9
jbcs-httpd24-mod_cluster-native-debuginfo-1.3.8-1.Final_redhat_1.jbcs.el6.i686.rpm SHA-256: d07b202255f54be16d23fe08c2d40bff5627bf81ea3934dd89ee26e83a3389df
jbcs-httpd24-mod_ldap-2.4.23-125.jbcs.el6.i686.rpm SHA-256: 3384c221fe89cc93ceb3d33d9209b4df984c71f22f178cc4a87265377c7f1b6c
jbcs-httpd24-mod_proxy_html-2.4.23-125.jbcs.el6.i686.rpm SHA-256: e8a1e82c9ac6020d66ff5c8b2f32deb74977a5d94468855dd25ba56b72ff53b4
jbcs-httpd24-mod_session-2.4.23-125.jbcs.el6.i686.rpm SHA-256: b8d83c92de18574382efdd123818c8562b840815dab10bcdf2d959d4d3c7930b
jbcs-httpd24-mod_ssl-2.4.23-125.jbcs.el6.i686.rpm SHA-256: 9e921c6165e23812340842efc31bdb7d4c57a467502be09b7eff75d65cba1b81

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.