CVE-2017-9798 - Use After Free

Severity

50%

Complexity

99%

Confidentiality

48%

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

CVSS 3.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N).

Demo Examples

Use After Free

CWE-416

The following example demonstrates the weakness.


               
}
free(buf3R2);

Use After Free

CWE-416

The following code illustrates a use after free error:


               
}
free(ptr);
logError("operation aborted before commit", ptr);

When an error occurs, the pointer is immediately freed. However, this pointer is later incorrectly used in the logError function.

Overview

First reported 7 years ago

2017-09-18 15:29:00

Last updated 5 years ago

2019-04-23 19:31:00

Affected Software

Apache Software Foundation Apache HTTP Server

Apache Software Foundation Apache HTTP Server 2.4.0

2.4.0

Apache Software Foundation Apache HTTP Server 2.4.1

2.4.1

Apache Software Foundation Apache HTTP Server 2.4.2

2.4.2

Apache Software Foundation Apache HTTP Server 2.4.3

2.4.3

Apache Software Foundation Apache HTTP Server 2.4.4

2.4.4

Apache Software Foundation Apache HTTP Server 2.4.6

2.4.6

Apache Software Foundation Apache HTTP Server 2.4.7

2.4.7

Apache Software Foundation Apache HTTP Server 2.4.9

2.4.9

Apache Software Foundation Apache HTTP Server 2.4.10

2.4.10

Apache Software Foundation Apache HTTP Server 2.4.12

2.4.12

Apache Software Foundation Apache HTTP Server 2.4.16

2.4.16

Apache Software Foundation Apache HTTP Server 2.4.17

2.4.17

Apache Software Foundation Apache HTTP Server 2.4.18

2.4.18

Apache Software Foundation HTTP Server 2.4.20

2.4.20

Apache Software Foundation HTTP Server 2.4.23

2.4.23

Apache Software Foundation Apache HTTP Server 2.4.25

2.4.25

Apache Software Foundation Apache HTTP Server 2.4.26

2.4.26

Apache Software Foundation Apache HTTP Server 2.4.27

2.4.27

Debian Linux 7.0

7.0

Debian Linux 8.0 (Jessie)

8.0

Debian Linux 9.0

9.0

References

http://openwall.com/lists/oss-security/2017/09/18/2

Mailing List, VDB Entry

DSA-3980

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

100872

Third Party Advisory, VDB Entry

105598

1039387

Third Party Advisory, VDB Entry

RHSA-2017:2882

RHSA-2017:2972

RHSA-2017:3018

RHSA-2017:3113

RHSA-2017:3114

RHSA-2017:3193

RHSA-2017:3194

RHSA-2017:3195

RHSA-2017:3239

RHSA-2017:3240

RHSA-2017:3475

RHSA-2017:3476

RHSA-2017:3477

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Exploit, Patch, Technical Description, Third Party Advisory

https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

Exploit, Patch, Technical Description, Third Party Advisory

https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9

Patch, Third Party Advisory

https://github.com/hannob/optionsbleed

Exploit, Third Party Advisory

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798

[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

GLSA-201710-32

https://security.netapp.com/advisory/ntap-20180601-0003/

https://security-tracker.debian.org/tracker/CVE-2017-9798

Third Party Advisory

https://support.apple.com/HT208331

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

Vendor Advisory

42745

Exploit, Third Party Advisory, VDB Entry

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.tenable.com/security/tns-2019-09

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.