// For flags

CVE-2017-15710

httpd: Out of bounds write in mod_authnz_ldap when using too small Accept-Language values

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.

Si mod_authnz_ldap se configura con AuthLDAPCharsetConfig, en las versiones 2.0.23 hasta la 2.0.65, versiones 2.2.0 hasta la 2.2.34 y versiones 2.4.0 hasta la 2.4.29 en Apache httpd, usa el valor de cabecera Accept-Language para buscar la codificación de charset adecuado cuando se verifican las credenciales de usuario. Si el valor de la cabecera no está presente en la tabla de conversión de charset, se utiliza un mecanismo alternativo para truncarlo en un valor de dos caracteres para permitir que se efectúe un quick retry (por ejemplo, 'en-US' se trunca a 'en'). Un valor de cabecera inferior a dos caracteres fuerza una lectura fuera de límites de un byte NULL a una ubicación de memoria que no forma parte de la cadena. En el peor de los casos, aunque poco probable, el proceso se bloquearía, lo que se podría utilizar como un ataque denegación de servicio (DoS). Es mucho más probable que esta memoria ya esté reservada para su uso futuro y que el problema no tenga ningún tipo de impacto.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-10-21 CVE Reserved
  • 2018-03-26 CVE Published
  • 2024-06-26 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-787: Out-of-bounds Write
CAPEC
References (29)
URL Tag Source
http://www.openwall.com/lists/oss-security/2018/03/24/8 Mailing List
http://www.securityfocus.com/bid/103512 Third Party Advisory
http://www.securitytracker.com/id/1040569 Third Party Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7500997beb65d6f%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/re1e3a24664d35bcd0a0e793e0b5fc6ca6c107f99a1b2c545c5d4b467%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E Mailing List
https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html Mailing List
https://security.netapp.com/advisory/ntap-20180601-0004 Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us Third Party Advisory
https://www.tenable.com/security/tns-2019-09 X_refsource_confirm
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.1
Search vendor "Apache" for product "Http Server" and version "2.4.1"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.2
Search vendor "Apache" for product "Http Server" and version "2.4.2"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.3
Search vendor "Apache" for product "Http Server" and version "2.4.3"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.4
Search vendor "Apache" for product "Http Server" and version "2.4.4"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.6
Search vendor "Apache" for product "Http Server" and version "2.4.6"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.7
Search vendor "Apache" for product "Http Server" and version "2.4.7"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.9
Search vendor "Apache" for product "Http Server" and version "2.4.9"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.10
Search vendor "Apache" for product "Http Server" and version "2.4.10"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.12
Search vendor "Apache" for product "Http Server" and version "2.4.12"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.16
Search vendor "Apache" for product "Http Server" and version "2.4.16"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.17
Search vendor "Apache" for product "Http Server" and version "2.4.17"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.18
Search vendor "Apache" for product "Http Server" and version "2.4.18"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.20
Search vendor "Apache" for product "Http Server" and version "2.4.20"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.23
Search vendor "Apache" for product "Http Server" and version "2.4.23"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.25
Search vendor "Apache" for product "Http Server" and version "2.4.25"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.26
Search vendor "Apache" for product "Http Server" and version "2.4.26"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.27
Search vendor "Apache" for product "Http Server" and version "2.4.27"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.28
Search vendor "Apache" for product "Http Server" and version "2.4.28"
-
Affected
Apache
Search vendor "Apache"
Http Server
Search vendor "Apache" for product "Http Server"
2.4.29
Search vendor "Apache" for product "Http Server" and version "2.4.29"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
7.0
Search vendor "Debian" for product "Debian Linux" and version "7.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
12.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"
esm
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
17.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10"
-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Netapp
Search vendor "Netapp"
Santricity Cloud Connector
Search vendor "Netapp" for product "Santricity Cloud Connector"
--
Affected
Netapp
Search vendor "Netapp"
Storage Automation Store
Search vendor "Netapp" for product "Storage Automation Store"
--
Affected
Netapp
Search vendor "Netapp"
Storagegrid
Search vendor "Netapp" for product "Storagegrid"
--
Affected
Netapp
Search vendor "Netapp"
Clustered Data Ontap
Search vendor "Netapp" for product "Clustered Data Ontap"
--
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
6.0
Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
7.0
Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
7.4
Search vendor "Redhat" for product "Enterprise Linux" and version "7.4"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
7.5
Search vendor "Redhat" for product "Enterprise Linux" and version "7.5"
-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
7.6
Search vendor "Redhat" for product "Enterprise Linux" and version "7.6"
-
Affected