CVE-2017-9798

Impact:
Moderate
Public Date:
2017-09-18
CWE:
CWE-416
Bugzilla:
1490344: CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)
A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash.

Find out more about CVE-2017-9798 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of httpd as shipped with Red Hat Enterprise Linux 5, 6, and 7. This issue affects the versions of httpd24-httpd as shipped with Red Hat Software Collections. Product Security has rated this issue as having Moderate security impact.

In order to be vulnerable, .htaccess files need to contain an invalid or not globally registered HTTP method in a "Limit" directive.

CVSS v3 metrics

CVSS3 Base Score 5.9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2017:3239 2017-11-16
Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-httpd) RHSA-2017:3018 2017-10-24
Red Hat Enterprise Linux Extended Update Support 6.7 (httpd) RHSA-2017:3195 2017-11-13
Red Hat Enterprise Linux Extended Update Support 7.2 (httpd) RHSA-2017:3193 2017-11-13
Red Hat JBoss Web Server 2.1 RHSA-2017:3114 2017-11-02
Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server RHSA-2017:3113 2017-11-02
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (httpd) RHSA-2017:3113 2017-11-02
Red Hat Enterprise Linux 6 (httpd) RHSA-2017:2972 2017-10-19
Red Hat JBoss Core Services 1 RHSA-2017:3475 2017-12-15
Red Hat Enterprise Linux 7 (httpd) RHSA-2017:2882 2017-10-11
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (httpd) RHSA-2017:3240 2017-11-16
Red Hat Software Collections for Red Hat Enterprise Linux 7 (httpd24-httpd) RHSA-2017:3018 2017-10-24
Red Hat JBoss Core Services on RHEL 6 Server RHSA-2017:3477 2017-12-15
Red Hat Enterprise Linux Extended Update Support 7.3 (httpd) RHSA-2017:3194 2017-11-13
Red Hat JBoss Core Services on RHEL 7 Server RHSA-2017:3476 2017-12-15
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2017:3240 2017-11-16

Affected Packages State

Platform Package State
Red Hat JBoss Web Server 3 httpd Will not fix
Red Hat JBoss EWS 1 httpd Will not fix
Red Hat JBoss EAP 5 httpd Not affected
Red Hat Enterprise Linux 5 httpd Will not fix

Acknowledgements

Red Hat would like to thank Hanno Böck for reporting this issue.

Mitigation

This issue can be mitigated by configuring httpd to disallow the use of the "Limit" configuration directive in .htaccess files. The set of directives that can be used in .htaccess files is configured using the "AllowOverride" directive. Refer to Red Hat Bugzilla bug 1490344 for further details:
https://bugzilla.redhat.com/show_bug.cgi?id=1490344#c18

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.