CVE-2017-9788
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.
Find out more about CVE-2017-9788 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 4.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity Impact | None |
| Availability Impact | Low |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2017:3239 | 2017-11-16 |
| Red Hat Enterprise Linux Extended Update Support 6.7 (httpd) | RHSA-2017:3195 | 2017-11-13 |
| Red Hat Enterprise Linux Extended Update Support 7.3 (httpd) | RHSA-2017:3194 | 2017-11-13 |
| Red Hat JBoss Core Services on RHEL 7 Server (jbcs-httpd24-httpd) | RHSA-2017:2709 | 2017-09-13 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server | RHSA-2017:3113 | 2017-11-02 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2017:3240 | 2017-11-16 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (httpd) | RHSA-2017:3113 | 2017-11-02 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-httpd) | RHSA-2017:2483 | 2017-08-16 |
| Red Hat Enterprise Linux 6 (httpd) | RHSA-2017:2478 | 2017-08-15 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (httpd) | RHSA-2017:3240 | 2017-11-16 |
| Red Hat JBoss Core Services 1 | RHSA-2017:2708 | 2017-09-13 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 (httpd24-httpd) | RHSA-2017:2483 | 2017-08-16 |
| Red Hat JBoss Core Services on RHEL 6 Server (jbcs-httpd24-httpd) | RHSA-2017:2710 | 2017-09-13 |
| Red Hat Enterprise Linux Extended Update Support 7.2 (httpd) | RHSA-2017:3193 | 2017-11-13 |
| Red Hat Enterprise Linux 7 (httpd) | RHSA-2017:2479 | 2017-08-15 |
| Red Hat JBoss Web Server 2.1 | RHSA-2017:3114 | 2017-11-02 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Web Server 3.0 | httpd | Fix deferred |
| Red Hat JBoss EAP 5 | httpd | Not affected |
| Red Hat Enterprise Linux 5 | httpd | Will not fix |
Mitigation
If you do not use digest authentication, do not load the "auth_digest_module".
For example, on RHEL 7, this can be done by commenting out or removing the
"LoadModule auth_digest_module modules/mod_auth_digest.so"
line within the /etc/httpd/conf.modules.d/00-base.conf configuration file and restarting the service.
You can then use the "httpd -t -D DUMP_MODULES" command to verify that the module is no longer loaded.