CVE-2017-9798

Public Exploit

Description

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

References

Link	Tags
https://access.redhat.com/errata/RHSA-2017:3113	third party advisory vendor advisory
http://www.securityfocus.com/bid/100872	vdb entry third party advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	third party advisory patch
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html	third party advisory patch
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	third party advisory patch
https://access.redhat.com/errata/RHSA-2017:2882	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:2972	third party advisory vendor advisory
https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch	patch exploit third party advisory technical description
https://support.apple.com/HT208331	third party advisory
http://www.securitytracker.com/id/1039387	vdb entry third party advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us	third party advisory
https://access.redhat.com/errata/RHSA-2017:3475	third party advisory vendor advisory
https://github.com/hannob/optionsbleed	third party advisory exploit
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch	vendor advisory
https://access.redhat.com/errata/RHSA-2017:3240	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:3195	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:3018	third party advisory vendor advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	third party advisory patch
https://access.redhat.com/errata/RHSA-2017:3239	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:3476	third party advisory vendor advisory
http://www.securityfocus.com/bid/105598	vdb entry third party advisory
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798	vendor advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	third party advisory patch
https://access.redhat.com/errata/RHSA-2017:3114	third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2017:3477	third party advisory vendor advisory
http://openwall.com/lists/oss-security/2017/09/18/2	vdb entry mailing list
https://security.netapp.com/advisory/ntap-20180601-0003/	third party advisory
https://access.redhat.com/errata/RHSA-2017:3194	third party advisory vendor advisory
https://security-tracker.debian.org/tracker/CVE-2017-9798	third party advisory
https://access.redhat.com/errata/RHSA-2017:3193	third party advisory vendor advisory
http://www.debian.org/security/2017/dsa-3980	third party advisory vendor advisory
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html	patch exploit third party advisory technical description
https://www.exploit-db.com/exploits/42745/	exploit vdb entry third party advisory
https://security.gentoo.org/glsa/201710-32	third party advisory vendor advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	third party advisory patch
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E	mailing list
https://www.tenable.com/security/tns-2019-09	third party advisory
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E	mailing list
https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a	patch vendor advisory
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E	mailing list
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E	mailing list

Frequently Asked Questions

What is the severity of CVE-2017-9798?: CVE-2017-9798 has been scored as a high severity vulnerability.
How to fix CVE-2017-9798?: To fix CVE-2017-9798, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2017-9798 being actively exploited in the wild?: It is possible that CVE-2017-9798 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~94% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2017-9798?: CVE-2017-9798 affects Apache Software Foundation Apache HTTP Server.

Description

Category

CWE-416 – Use After Free

References

Frequently Asked Questions