CVE-2017-9798

Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Apache httpd permite que atacantes remotos lean datos secretos de la memoria de proceso si la directiva Limit se puede establecer en un archivo .htaccess del usuario o si existen ciertos errores de configuración en httpd.conf. Esto también se conoce como Optionsbleed. Esta vulnerabilidad afecta a Apache HTTP Server hasta la versión 2.2.34 y a las versiones 2.4.x hasta la 2.4.27. El atacante envía una petición HTTP OPTIONS sin autenticar cuando intenta leer datos secretos. Este es un problema de uso de memoria previamente liberada y, por lo tanto, los datos secretos no siempre se envían y los datos específicos dependen de muchos factores, entre los que se encuentra la configuración. La explotación con .htaccess puede bloquearse con un parche en la función ap_limit_section en server/core.c.

A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-06-21 CVE Reserved
2017-09-18 CVE Published
2017-09-18 First Exploit
2024-07-09 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-416: Use After Free

CAPEC

References (59)

URL	Tag	Source
http://openwall.com/lists/oss-security/2017/09/18/2	Mailing List
http://www.securityfocus.com/bid/100872	Third Party Advisory
http://www.securityfocus.com/bid/105598	Third Party Advisory
http://www.securitytracker.com/id/1039387	Third Party Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://security-tracker.debian.org/tracker/CVE-2017-9798	Third Party Advisory
https://security.netapp.com/advisory/ntap-20180601-0003	Third Party Advisory
https://support.apple.com/HT208331	Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us	Third Party Advisory
https://www.tenable.com/security/tns-2019-09	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/42745	2024-08-05
https://github.com/nitrado/CVE-2017-9798	2017-09-18
https://github.com/l0n3rs/CVE-2017-9798	2017-09-24
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html	2024-08-05
https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch	2024-08-05
https://github.com/hannob/optionsbleed	2024-08-05

URL	Date	SRC
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	2023-11-07
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html	2023-11-07
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	2023-11-07
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	2023-11-07
https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a	2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	2023-11-07

URL	Date	SRC
http://www.debian.org/security/2017/dsa-3980	2023-11-07
https://access.redhat.com/errata/RHSA-2017:2882	2023-11-07
https://access.redhat.com/errata/RHSA-2017:2972	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3018	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3113	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3114	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3193	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3194	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3195	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3239	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3240	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3475	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3476	2023-11-07
https://access.redhat.com/errata/RHSA-2017:3477	2023-11-07
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798	2023-11-07
https://security.gentoo.org/glsa/201710-32	2023-11-07
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch	2023-11-07
https://access.redhat.com/security/cve/CVE-2017-9798	2017-12-15
https://bugzilla.redhat.com/show_bug.cgi?id=1490344	2017-12-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				<= 2.2.34 Search vendor "Apache" for product "Http Server" and version " <= 2.2.34"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.0 Search vendor "Apache" for product "Http Server" and version "2.4.0"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.1 Search vendor "Apache" for product "Http Server" and version "2.4.1"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.2 Search vendor "Apache" for product "Http Server" and version "2.4.2"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.3 Search vendor "Apache" for product "Http Server" and version "2.4.3"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.4 Search vendor "Apache" for product "Http Server" and version "2.4.4"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.6 Search vendor "Apache" for product "Http Server" and version "2.4.6"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.7 Search vendor "Apache" for product "Http Server" and version "2.4.7"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.9 Search vendor "Apache" for product "Http Server" and version "2.4.9"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.10 Search vendor "Apache" for product "Http Server" and version "2.4.10"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.12 Search vendor "Apache" for product "Http Server" and version "2.4.12"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.16 Search vendor "Apache" for product "Http Server" and version "2.4.16"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.17 Search vendor "Apache" for product "Http Server" and version "2.4.17"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.18 Search vendor "Apache" for product "Http Server" and version "2.4.18"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.20 Search vendor "Apache" for product "Http Server" and version "2.4.20"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.23 Search vendor "Apache" for product "Http Server" and version "2.4.23"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.25 Search vendor "Apache" for product "Http Server" and version "2.4.25"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.26 Search vendor "Apache" for product "Http Server" and version "2.4.26"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.27 Search vendor "Apache" for product "Http Server" and version "2.4.27"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected