CVE-2017-9798

CVE-2017-9798

Name

CVE-2017-9798

Description

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Mailing List	http://openwall.com/lists/oss-security/2017/09/18/2
Third Party Advisory	http://www.debian.org/security/2017/dsa-3980
Patch	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Patch	http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Patch	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Patch	http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Third Party Advisory	http://www.securityfocus.com/bid/100872
Third Party Advisory	http://www.securityfocus.com/bid/105598
Third Party Advisory	http://www.securitytracker.com/id/1039387
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:2882
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:2972
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3018
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3113
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3114
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3193
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3194
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3195
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3239
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3240
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3475
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3476
Third Party Advisory	https://access.redhat.com/errata/RHSA-2017:3477
Exploit	https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
Exploit	https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch
Patch	https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a
Exploit	https://github.com/hannob/optionsbleed
Vendor Advisory	https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798
security@apache.org	https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
security@apache.org	https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E
Third Party Advisory	https://security-tracker.debian.org/tracker/CVE-2017-9798
Third Party Advisory	https://security.gentoo.org/glsa/201710-32
Third Party Advisory	https://security.netapp.com/advisory/ntap-20180601-0003/
Third Party Advisory	https://support.apple.com/HT208331
Third Party Advisory	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us
Vendor Advisory	https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
Exploit	https://www.exploit-db.com/exploits/42745/
Patch	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Patch	https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Third Party Advisory	https://www.tenable.com/security/tns-2019-09
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2024/Sep/22

Type

URI

Mailing List

http://openwall.com/lists/oss-security/2017/09/18/2

Third Party Advisory

http://www.debian.org/security/2017/dsa-3980

Patch

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Patch

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Patch

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Third Party Advisory

http://www.securityfocus.com/bid/100872

Third Party Advisory

http://www.securityfocus.com/bid/105598

Third Party Advisory

http://www.securitytracker.com/id/1039387

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2882

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2972

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3018

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3113

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3114

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3193

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3194

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3195

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3239

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3240

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3475

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3476

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3477

Exploit

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Exploit

https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

Patch

https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a

Exploit

https://github.com/hannob/optionsbleed

Vendor Advisory

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798

security@apache.org

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

security@apache.org

https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E

Third Party Advisory

https://security-tracker.debian.org/tracker/CVE-2017-9798

Third Party Advisory

https://security.gentoo.org/glsa/201710-32

Third Party Advisory

https://security.netapp.com/advisory/ntap-20180601-0003/

Third Party Advisory

https://support.apple.com/HT208331

Third Party Advisory

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

Vendor Advisory

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

Exploit

https://www.exploit-db.com/exploits/42745/

Patch

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Third Party Advisory

https://www.tenable.com/security/tns-2019-09

af854a3a-2127-422b-91ae-364da2661108

http://seclists.org/fulldisclosure/2024/Sep/22

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:apache:http_server::::::::`	http_server	>= None	<= 2.2.34
`cpe:2.3:a:apache:http_server:2.4.0:::::::*`	http_server	== None	== 2.4.0
`cpe:2.3:a:apache:http_server:2.4.1:::::::*`	http_server	== None	== 2.4.1
`cpe:2.3:a:apache:http_server:2.4.2:::::::*`	http_server	== None	== 2.4.2
`cpe:2.3:a:apache:http_server:2.4.3:::::::*`	http_server	== None	== 2.4.3
`cpe:2.3:a:apache:http_server:2.4.4:::::::*`	http_server	== None	== 2.4.4
`cpe:2.3:a:apache:http_server:2.4.6:::::::*`	http_server	== None	== 2.4.6
`cpe:2.3:a:apache:http_server:2.4.7:::::::*`	http_server	== None	== 2.4.7
`cpe:2.3:a:apache:http_server:2.4.9:::::::*`	http_server	== None	== 2.4.9
`cpe:2.3:a:apache:http_server:2.4.10:::::::*`	http_server	== None	== 2.4.10
`cpe:2.3:a:apache:http_server:2.4.12:::::::*`	http_server	== None	== 2.4.12
`cpe:2.3:a:apache:http_server:2.4.16:::::::*`	http_server	== None	== 2.4.16
`cpe:2.3:a:apache:http_server:2.4.17:::::::*`	http_server	== None	== 2.4.17
`cpe:2.3:a:apache:http_server:2.4.18:::::::*`	http_server	== None	== 2.4.18
`cpe:2.3:a:apache:http_server:2.4.20:::::::*`	http_server	== None	== 2.4.20
`cpe:2.3:a:apache:http_server:2.4.23:::::::*`	http_server	== None	== 2.4.23
`cpe:2.3:a:apache:http_server:2.4.25:::::::*`	http_server	== None	== 2.4.25
`cpe:2.3:a:apache:http_server:2.4.26:::::::*`	http_server	== None	== 2.4.26
`cpe:2.3:a:apache:http_server:2.4.27:::::::*`	http_server	== None	== 2.4.27

CPE URI

Source package

Min version

Max version

cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

http_server

>= None

<= 2.2.34

cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*

http_server

== None

== 2.4.0

cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*

http_server

== None

== 2.4.1

cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*

http_server

== None

== 2.4.2

cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*

http_server

== None

== 2.4.3

cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*

http_server

== None

== 2.4.4

cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*

http_server

== None

== 2.4.6

cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*

http_server

== None

== 2.4.7

cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*

http_server

== None

== 2.4.9

cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*

http_server

== None

== 2.4.10

cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*

http_server

== None

== 2.4.12

cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*

http_server

== None

== 2.4.16

cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*

http_server

== None

== 2.4.17

cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*

http_server

== None

== 2.4.18

cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*

http_server

== None

== 2.4.20

cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*

http_server

== None

== 2.4.23

cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*

http_server

== None

== 2.4.25

cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*

http_server

== None

== 2.4.26

cpe:2.3:a:apache:http_server:2.4.27:*:*:*:*:*:*:*

http_server

== None

== 2.4.27

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
apache2	edge-main	2.4.27-r1	None	fixed
apache2	3.22-main	2.4.27-r1	None	fixed
apache2	3.21-main	2.4.27-r1	None	fixed
apache2	3.20-main	2.4.27-r1	None	fixed
apache2	3.19-main	2.4.27-r1	None	fixed
apache2	3.18-main	2.4.27-r1	None	fixed
apache2	3.17-main	2.4.27-r1	None	fixed
apache2	3.12-main	2.4.27-r1	None	fixed
apache2	3.11-main	2.4.27-r1	None	fixed
apache2	3.10-main	2.4.27-r1	None	fixed

Source package

Branch

Version

Maintainer

Status

apache2

edge-main

2.4.27-r1

None

fixed

apache2

3.22-main