{ "threat_severity" : "Moderate", "public_date" : "2017-09-18T00:00:00Z", "bugzilla" : { "description" : "httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed)", "id" : "1490344", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1490344" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.", "A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash." ], "statement" : "This issue affects the versions of httpd as shipped with Red Hat Enterprise Linux 5, 6, and 7. This issue affects the versions of httpd24-httpd as shipped with Red Hat Software Collections. Product Security has rated this issue as having Moderate security impact.\nIn order to be vulnerable, .htaccess files need to contain an invalid or not globally registered HTTP method in a \"Limit\" directive.", "acknowledgement" : "Red Hat would like to thank Hanno Böck for reporting this issue.", "affected_release" : [ { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-12-15T00:00:00Z", "advisory" : "RHSA-2017:3477", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-httpd-0:2.4.23-125.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-12-15T00:00:00Z", "advisory" : "RHSA-2017:3477", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_bmx-0:0.9.6-15.GA.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-12-15T00:00:00Z", "advisory" : "RHSA-2017:3477", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.8-1.Final_redhat_1.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-12-15T00:00:00Z", "advisory" : "RHSA-2017:3476", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.23-125.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-12-15T00:00:00Z", "advisory" : "RHSA-2017:3476", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_bmx-0:0.9.6-15.GA.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-12-15T00:00:00Z", "advisory" : "RHSA-2017:3476", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.8-1.Final_redhat_1.jbcs.el7" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2017-10-19T00:00:00Z", "advisory" : "RHSA-2017:2972", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "httpd-0:2.2.15-60.el6_9.6" }, { "product_name" : "Red Hat Enterprise Linux 6.7 Extended Update Support", "release_date" : "2017-11-13T00:00:00Z", "advisory" : "RHSA-2017:3195", "cpe" : "cpe:/o:redhat:rhel_eus:6.7", "package" : "httpd-0:2.2.15-47.el6_7.5" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2017-10-11T00:00:00Z", "advisory" : "RHSA-2017:2882", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "httpd-0:2.4.6-67.el7_4.5" }, { "product_name" : "Red Hat Enterprise Linux 7.2 Extended Update Support", "release_date" : "2017-11-13T00:00:00Z", "advisory" : "RHSA-2017:3193", "cpe" : "cpe:/o:redhat:rhel_eus:7.2", "package" : "httpd-0:2.4.6-40.el7_2.6" }, { "product_name" : "Red Hat Enterprise Linux 7.3 Extended Update Support", "release_date" : "2017-11-13T00:00:00Z", "advisory" : "RHSA-2017:3194", "cpe" : "cpe:/o:redhat:rhel_eus:7.3", "package" : "httpd-0:2.4.6-45.el7_3.5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4", "release_date" : "2017-11-16T00:00:00Z", "advisory" : "RHSA-2017:3239", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6.4", "package" : "httpd" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6", "release_date" : "2017-11-16T00:00:00Z", "advisory" : "RHSA-2017:3240", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6", "package" : "httpd-0:2.2.26-57.ep6.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6", "release_date" : "2017-11-16T00:00:00Z", "advisory" : "RHSA-2017:3240", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6", "package" : "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6", "release_date" : "2017-11-16T00:00:00Z", "advisory" : "RHSA-2017:3240", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6", "package" : "mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7", "release_date" : "2017-11-16T00:00:00Z", "advisory" : "RHSA-2017:3240", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7", "package" : "httpd22-0:2.2.26-58.ep6.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7", "release_date" : "2017-11-16T00:00:00Z", "advisory" : "RHSA-2017:3240", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7", "package" : "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7", "release_date" : "2017-11-16T00:00:00Z", "advisory" : "RHSA-2017:3240", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7", "package" : "mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3113", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6", "package" : "httpd-0:2.2.26-57.ep6.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3113", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6", "package" : "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3113", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6", "package" : "mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3113", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6", "package" : "tomcat6-0:6.0.41-19_patch_04.ep6.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3113", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6", "package" : "tomcat7-0:7.0.54-28_patch_05.ep6.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3113", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7", "package" : "httpd22-0:2.2.26-58.ep6.el7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3113", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7", "package" : "jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3113", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7", "package" : "mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3113", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7", "package" : "tomcat6-0:6.0.41-19_patch_04.ep6.el7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3113", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7", "package" : "tomcat7-0:7.0.54-28_patch_05.ep6.el7" }, { "product_name" : "Red Hat JBoss Web Server 2.1", "release_date" : "2017-11-02T00:00:00Z", "advisory" : "RHSA-2017:3114", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "httpd24-0:1.1-18.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "httpd24-httpd-0:2.4.27-8.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "httpd24-0:1.1-18.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "httpd24-httpd-0:2.4.27-8.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-0:1.1-18.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-curl-0:7.47.1-4.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.27-8.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-mod_auth_kerb-0:5.4-33.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-6.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-0:1.1-18.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-curl-0:7.47.1-4.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.27-8.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-mod_auth_kerb-0:5.4-33.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-6.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-0:1.1-18.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-curl-0:7.47.1-4.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.27-8.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-mod_auth_kerb-0:5.4-33.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2017-10-24T00:00:00Z", "advisory" : "RHSA-2017:3018", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-6.el7" }, { "product_name" : "Text-Only JBCS", "release_date" : "2017-12-15T00:00:00Z", "advisory" : "RHSA-2017:3475", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "httpd" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1", "fix_state" : "Under investigation", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Will not fix", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Affected", "package_name" : "httpd24-httpd", "cpe" : "cpe:/a:redhat:rhel_software_collections:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-9798\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-9798\nhttps://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html" ], "name" : "CVE-2017-9798", "mitigation" : { "value" : "This issue can be mitigated by configuring httpd to disallow the use of the \"Limit\" configuration directive in .htaccess files. The set of directives that can be used in .htaccess files is configured using the \"AllowOverride\" directive. Refer to Red Hat Bugzilla bug 1490344 for further details:\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1490344#c18", "lang" : "en:us" }, "csaw" : false }