CVE-2017-9798: Use After Free
First published: Mon Sep 11 2017(Updated: )
apache. Multiple issues were addressed by updating to version 2.4.28.
Credit: Hanno Böck security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-httpd | <0:2.4.23-125.jbcs.el6 | 0:2.4.23-125.jbcs.el6 |
| redhat/jbcs-httpd24-httpd | <0:2.4.23-125.jbcs.el7 | 0:2.4.23-125.jbcs.el7 |
| redhat/httpd | <0:2.2.15-60.el6_9.6 | 0:2.2.15-60.el6_9.6 |
| redhat/httpd | <0:2.2.15-47.el6_7.5 | 0:2.2.15-47.el6_7.5 |
| redhat/httpd | <0:2.4.6-67.el7_4.5 | 0:2.4.6-67.el7_4.5 |
| redhat/httpd | <0:2.4.6-40.el7_2.6 | 0:2.4.6-40.el7_2.6 |
| redhat/httpd | <0:2.4.6-45.el7_3.5 | 0:2.4.6-45.el7_3.5 |
| redhat/httpd | <0:2.2.26-57.ep6.el6 | 0:2.2.26-57.ep6.el6 |
| redhat/jbcs-httpd24-openssl | <1:1.0.2h-14.jbcs.el6 | 1:1.0.2h-14.jbcs.el6 |
| redhat/httpd22 | <0:2.2.26-58.ep6.el7 | 0:2.2.26-58.ep6.el7 |
| redhat/jbcs-httpd24-openssl | <1:1.0.2h-14.jbcs.el7 | 1:1.0.2h-14.jbcs.el7 |
| redhat/tomcat6 | <0:6.0.41-19_patch_04.ep6.el6 | 0:6.0.41-19_patch_04.ep6.el6 |
| redhat/tomcat7 | <0:7.0.54-28_patch_05.ep6.el6 | 0:7.0.54-28_patch_05.ep6.el6 |
| redhat/tomcat6 | <0:6.0.41-19_patch_04.ep6.el7 | 0:6.0.41-19_patch_04.ep6.el7 |
| redhat/tomcat7 | <0:7.0.54-28_patch_05.ep6.el7 | 0:7.0.54-28_patch_05.ep6.el7 |
| redhat/httpd24 | <0:1.1-18.el6 | 0:1.1-18.el6 |
| redhat/httpd24-httpd | <0:2.4.27-8.el6 | 0:2.4.27-8.el6 |
| redhat/httpd24 | <0:1.1-18.el7 | 0:1.1-18.el7 |
| redhat/httpd24-curl | <0:7.47.1-4.el7 | 0:7.47.1-4.el7 |
| redhat/httpd24-httpd | <0:2.4.27-8.el7 | 0:2.4.27-8.el7 |
| redhat/httpd24-nghttp2 | <0:1.7.1-6.el7 | 0:1.7.1-6.el7 |
| Apache HTTP server | <=2.2.34 | |
| Apache HTTP server | =2.4.0 | |
| Apache HTTP server | =2.4.1 | |
| Apache HTTP server | =2.4.2 | |
| Apache HTTP server | =2.4.3 | |
| Apache HTTP server | =2.4.4 | |
| Apache HTTP server | =2.4.6 | |
| Apache HTTP server | =2.4.7 | |
| Apache HTTP server | =2.4.9 | |
| Apache HTTP server | =2.4.10 | |
| Apache HTTP server | =2.4.12 | |
| Apache HTTP server | =2.4.16 | |
| Apache HTTP server | =2.4.17 | |
| Apache HTTP server | =2.4.18 | |
| Apache HTTP server | =2.4.20 | |
| Apache HTTP server | =2.4.23 | |
| Apache HTTP server | =2.4.25 | |
| Apache HTTP server | =2.4.26 | |
| Apache HTTP server | =2.4.27 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Apple macOS High Sierra | <10.13.2 | 10.13.2 |
| Apple Sierra | ||
| Apple El Capitan | ||
| redhat/httpd | <2.4.28 | 2.4.28 |
| redhat/httpd | <2.2.35 | 2.2.35 |
| debian/apache2 | 2.4.59-1~deb11u1 2.4.61-1~deb11u1 2.4.59-1~deb12u1 2.4.61-1~deb12u1 2.4.62-1 |
Remedy
This issue can be mitigated by configuring httpd to disallow the use of the "Limit" configuration directive in .htaccess files. The set of directives that can be used in .htaccess files is configured using the "AllowOverride" directive. Refer to Red Hat Bugzilla bug 1490344 for further details: https://bugzilla.redhat.com/show_bug.cgi?id=1490344#c18
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2017-9798 https://nvd.nist.gov/vuln/detail/CVE-2017-9798 https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1490344
- https://access.redhat.com/errata/RHSA-2017:3477
- https://access.redhat.com/errata/RHSA-2017:3476
- https://access.redhat.com/errata/RHSA-2017:2972
- https://access.redhat.com/errata/RHSA-2017:3195
- https://access.redhat.com/errata/RHSA-2017:2882
- https://access.redhat.com/errata/RHSA-2017:3193
- https://access.redhat.com/errata/RHSA-2017:3194
- https://access.redhat.com/errata/RHSA-2017:3475
- https://access.redhat.com/errata/RHSA-2017:3239
- https://access.redhat.com/errata/RHSA-2017:3240
- https://access.redhat.com/errata/RHSA-2017:3113
- https://access.redhat.com/errata/RHSA-2017:3114
- https://access.redhat.com/errata/RHSA-2017:3018
- https://access.redhat.com/security/cve/CVE-2017-9798
- http://openwall.com/lists/oss-security/2017/09/18/2
- http://www.debian.org/security/2017/dsa-3980
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/100872
- http://www.securityfocus.com/bid/105598
- http://www.securitytracker.com/id/1039387
- https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
- https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch
- https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a
- https://github.com/hannob/optionsbleed
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770@%3Ccvs.httpd.apache.org%3E
- https://security-tracker.debian.org/tracker/CVE-2017-9798
- https://security.gentoo.org/glsa/201710-32
- https://security.netapp.com/advisory/ntap-20180601-0003/
- https://support.apple.com/HT208331
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us
- https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
- https://www.exploit-db.com/exploits/42745/
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.tenable.com/security/tns-2019-09
- https://support.apple.com/en-us/HT208331 (Advisory)
- https://svn.apache.org/viewvc?view=revision&revision=1807754
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1492886
- https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride
- https://httpd.apache.org/docs/2.2/mod/core.html#allowoverride
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1490344
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1490344#c18
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1490344#c30
- https://access.redhat.com/security/updates/backporting
- https://access.redhat.com/security/cve/cve-2017-9798
- https://access.redhat.com/security/security-updates/#/security-advisories
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2017-13887
- CVE-2017-9798
- CVE-2017-13905
- CVE-2017-7172
- CVE-2017-13892
- CVE-2017-7171
- CVE-2017-7151
- CVE-2017-1000254
- CVE-2017-13872
- CVE-2017-15422
- CVE-2017-13883
- CVE-2017-7163
- CVE-2017-7155
- CVE-2017-13878
- CVE-2017-13875
- CVE-2017-7159
- CVE-2017-13848
- CVE-2017-13858
- CVE-2017-13847
- CVE-2017-7162
- CVE-2017-13904
- CVE-2017-5754
- CVE-2017-13862
- CVE-2017-13867
- CVE-2017-7173
- CVE-2017-13876
- CVE-2017-13855
- CVE-2017-13865
- CVE-2017-13868
- CVE-2017-13869
- CVE-2017-7154
- CVE-2017-13871
- CVE-2017-13860
- CVE-2017-3735
- CVE-2017-12837
- CVE-2017-7158
- CVE-2017-13911
- CVE-2017-13886
Frequently Asked Questions
What is the severity of CVE-2017-9798?
The severity of CVE-2017-9798 is high with a score of 7.5.
How can an attacker exploit CVE-2017-9798?
An attacker can exploit CVE-2017-9798 by sending a specially crafted request that triggers an information leak from the server's memory.
Which versions of Apache httpd are affected by CVE-2017-9798?
The Apache HTTP Server versions through 2.2.34 and 2.4.x through 2.4.27 are affected by CVE-2017-9798.
What is Optionsbleed?
Optionsbleed is a vulnerability in Apache httpd that allows remote attackers to read secret data from process memory.
How can I mitigate CVE-2017-9798?
To mitigate CVE-2017-9798, update Apache httpd to version 2.4.28 or apply the appropriate patch provided by the vendor.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/apple-support
- agent/software-canonical-lookup-request
- agent/remedy
- agent/weakness
- agent/author
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-9798
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/security-tracker-debian
- source/Debian
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- package-manager/redhat
- vendor/apache
- canonical/apache http server
- version/apache http server/2.2.34
- version/apache http server/2.4.0
- version/apache http server/2.4.1
- version/apache http server/2.4.2
- version/apache http server/2.4.3
- version/apache http server/2.4.4
- version/apache http server/2.4.6
- version/apache http server/2.4.7
- version/apache http server/2.4.9
- version/apache http server/2.4.10
- version/apache http server/2.4.12
- version/apache http server/2.4.16
- version/apache http server/2.4.17
- version/apache http server/2.4.18
- version/apache http server/2.4.20
- version/apache http server/2.4.23
- version/apache http server/2.4.25
- version/apache http server/2.4.26
- version/apache http server/2.4.27
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/apple
- canonical/apple macos high sierra
- canonical/apple sierra
- canonical/apple el capitan
- package-manager/debian