Table of Contents
Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
|CVSS3 Base Score||7.1|
|CVSS3 Base Metrics||CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N|
Affected Packages State
|Red Hat Virtualization 4||rhvm-appliance||Not affected|
|Red Hat Software Collections for Red Hat Enterprise Linux||httpd24-httpd||Affected|
|Red Hat JBoss EWS 2||httpd||Under investigation|
|Red Hat JBoss Core Services 1||httpd||Affected|
|Red Hat Enterprise Linux 8||httpd:2.4/httpd||Affected|
|Red Hat Enterprise Linux 7||httpd||Affected|
|Red Hat Enterprise Linux 6||httpd||Out of support scope|
|Red Hat Enterprise Linux 5||httpd||Under investigation|
This flaw only affects a threaded server configuration, so using the prefork MPM is an effective mitigation. In versions of httpd package shipped with Red Hat Enterprise Linux 7, the prefork MPM is the default configuration.