First published: Mon Mar 26 2018(Updated: )
In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/httpd | <2.4.30 | 2.4.30 |
ubuntu/apache2 | <2.4.27-2ubuntu4.1 | 2.4.27-2ubuntu4.1 |
ubuntu/apache2 | <2.4.29-1ubuntu4.1 | 2.4.29-1ubuntu4.1 |
ubuntu/apache2 | <2.4.29-1ubuntu4.1 | 2.4.29-1ubuntu4.1 |
ubuntu/apache2 | <2.4.7-1ubuntu4.20 | 2.4.7-1ubuntu4.20 |
ubuntu/apache2 | <2.4.30 | 2.4.30 |
ubuntu/apache2 | <2.4.18-2ubuntu3.8 | 2.4.18-2ubuntu3.8 |
Apache HTTP server | =2.4.1 | |
Apache HTTP server | =2.4.2 | |
Apache HTTP server | =2.4.3 | |
Apache HTTP server | =2.4.4 | |
Apache HTTP server | =2.4.6 | |
Apache HTTP server | =2.4.7 | |
Apache HTTP server | =2.4.9 | |
Apache HTTP server | =2.4.10 | |
Apache HTTP server | =2.4.12 | |
Apache HTTP server | =2.4.16 | |
Apache HTTP server | =2.4.17 | |
Apache HTTP server | =2.4.18 | |
Apache HTTP server | =2.4.20 | |
Apache HTTP server | =2.4.23 | |
Apache HTTP server | =2.4.25 | |
Apache HTTP server | =2.4.26 | |
Apache HTTP server | =2.4.27 | |
Apache HTTP server | =2.4.28 | |
Apache HTTP server | =2.4.29 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =17.10 | |
Canonical Ubuntu Linux | =18.04 | |
Debian Debian Linux | =7.0 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Netapp Cloud Backup | ||
Netapp Storagegrid | ||
NetApp Clustered Data ONTAP | ||
Redhat Jboss Core Services | =1.0 | |
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Eus | =7.6 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Server Aus | =7.6 | |
Redhat Enterprise Linux Server Tus | =7.6 | |
Redhat Enterprise Linux Workstation | =7.0 | |
All of | ||
Redhat Jboss Core Services | =1.0 | |
Any of | ||
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =7.0 | |
debian/apache2 | 2.4.59-1~deb11u1 2.4.59-1~deb12u1 2.4.59-2 2.4.60-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-1312 is a vulnerability in Apache httpd that allows for HTTP request replay attacks.
CVE-2018-1312 has a severity rating of 9.8 (Critical).
Apache httpd versions 2.2.0 to 2.4.29 are affected.
To fix CVE-2018-1312, you need to upgrade Apache httpd to version 2.4.30 or higher.
You can find more information about CVE-2018-1312 on the Apache httpd website and the Redhat Bugzilla website.