The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

cybersecurity note CVE-2017-9798

Apache httpd: information disclosure via htaccess Limit Optionsbleed

Synthesis of the vulnerability

When Apache httpd hosts an .htaccess file with the Limit option, an OPTIONS query can retrieve an extract of the service memory.
Severity of this announce: 2/4.
Creation date: 19/09/2017.
Références of this computer vulnerability: 2009782, bulletinjan2018, CERTFR-2017-AVI-336, cpujan2018, cpujan2019, CVE-2017-9798, DLA-1102-1, DSA-2019-131, DSA-3980-1, FEDORA-2017-a52f252521, HT208331, HT208394, JSA10838, openSUSE-SU-2017:2549-1, openSUSE-SU-2018:1057-1, RHSA-2017:2882-01, RHSA-2017:2972-01, RHSA-2017:3018-01, RHSA-2017:3113-01, RHSA-2017:3114-01, RHSA-2017:3239-01, RHSA-2017:3240-01, SSA:2017-261-01, Synology-SA-17:56, USN-3425-1, USN-3425-2, VIGILANCE-VUL-23863.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

When Apache httpd hosts an .htaccess file with the Limit option, an OPTIONS query can retrieve an extract of the service memory.
Full Vigil@nce bulletin... (Free trial)

This computer weakness announce impacts software or systems such as Apache httpd, Mac OS X, Debian, VNX Operating Environment, VNX Series, Fedora, WebSphere AS Traditional, Junos Space, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Identity Management, Oracle iPlanet Web Server, Solaris, Tuxedo, WebLogic, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, Slackware, Synology DSM, Synology DS***, Synology RS***, Ubuntu.

Our Vigil@nce team determined that the severity of this security alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a specialist ability can exploit this vulnerability.

Solutions for this threat

Apache httpd: version 2.4.28.
The version 2.4.28 is fixed:
  http://httpd.apache.org/download.cgi

Apache httpd: patch for Optionsbleed.
A patch is indicated in information sources.

Apple macOS: solution (07/12/2017).
The solution is indicated in information sources.

Debian: new apache2 packages.
New packages are available:
  Debian 7: apache2 2.2.22-13+deb7u12
  Debian 8: apache2 2.4.10-10+deb8u11
  Debian 9: apache2 2.4.25-3+deb9u3

Dell EMC VNXe3200: version 3.1.10.9946299.
The version 3.1.10.9946299 is fixed:
  https://www.dell.com/

Fedora 26: new httpd packages.
New packages are available:
  Fedora 26: httpd 2.4.27-3.fc26

IBM WebSphere Application Server Traditional: patch.
A patch is indicated in information sources for each branch 7.x to 9.x.

Junos Space: fixed versions.
Fixed versions are indicated in information sources.

openSUSE Leap 42.3: new virtualbox packages.
New packages are available:
  openSUSE Leap 42.3: virtualbox 5.1.36-50.1

openSUSE Leap: new apache2 packages.
New packages are available:
  openSUSE Leap 42.2: apache2 2.4.23-8.12.1
  openSUSE Leap 42.3: apache2 2.4.23-16.1

Oracle Communications: CPU of January 2019.
A Critical Patch Update is available:
  https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Oracle Fusion Middleware: CPU of January 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2325393.1

Oracle Solaris: patch for third party software of January 2018 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Red Hat JBoss EAP: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4

Red Hat JBoss Web Server: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.2

RHEL 6: new httpd packages.
New packages are available:
  RHEL 6: httpd 2.2.15-60.el6_9.6

RHEL 7.4: new httpd packages.
New packages are available:
  RHEL 7: httpd 2.4.6-67.el7_4.5

RHEL: new httpd24 packages.
New packages are available:
  RHEL 6: httpd24 1.1-18.el6
  RHEL 7: httpd24 1.1-18.el7

Slackware: new httpd packages.
New packages are available:
  Slackware 13.0: httpd 2.2.34-*-2_slack13.0
  Slackware 13.1: httpd 2.2.34-*-2_slack13.1
  Slackware 13.37: httpd 2.2.34-*-2_slack13.37
  Slackware 14.0: httpd 2.4.27-*-2_slack14.0
  Slackware 14.1: httpd 2.4.27-*-2_slack14.1
  Slackware 14.2: httpd 2.4.27-*-2_slack14.2

Ubuntu: new apache2-bin packages.
New packages are available:
  Ubuntu 17.04: apache2-bin 2.4.25-3ubuntu2.3
  Ubuntu 16.04 LTS: apache2-bin 2.4.18-2ubuntu3.5
  Ubuntu 14.04 LTS: apache2-bin 2.4.7-1ubuntu4.18
  Ubuntu 12.04 ESM: apache2.2-bin 2.2.22-1ubuntu1.14
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities watch. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.