The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: out-of-bounds memory reading via ap_find_token

Synthesis of the vulnerability 

An attacker can force a read at an invalid address via ap_find_token() of Apache httpd, in order to trigger a denial of service, or to obtain sensitive information.
Impacted systems: SES, Apache httpd, Mac OS X, Debian, VNX Operating Environment, VNX Series, Fedora, Junos Space, ePO, Solaris, VirtualBox, RHEL, Slackware, Ubuntu.
Severity of this alert: 2/4.
Creation date: 20/06/2017.
Références of this alert: APPLE-SA-2017-09-25-1, bulletinjul2017, CERTFR-2017-AVI-218, cpuoct2017, CVE-2017-7668, DLA-1009-1, DSA-2019-131, DSA-2019-197, DSA-3896-1, FEDORA-2017-9ded7c5670, FEDORA-2017-cf9599a306, HT208144, HT208221, JSA10838, RHSA-2017:2479-01, RHSA-2017:2483-01, RHSA-2017:3193-01, RHSA-2017:3194-01, SB10206, SSA:2017-180-03, STORM-2017-003, USN-3340-1, USN-3373-1, VIGILANCE-VUL-23003.

Description of the vulnerability 

An attacker can force a read at an invalid address via ap_find_token() of Apache httpd, in order to trigger a denial of service, or to obtain sensitive information.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability alert impacts software or systems such as SES, Apache httpd, Mac OS X, Debian, VNX Operating Environment, VNX Series, Fedora, Junos Space, ePO, Solaris, VirtualBox, RHEL, Slackware, Ubuntu.

Our Vigil@nce team determined that the severity of this computer threat alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this security vulnerability.

Solutions for this threat 

Apache httpd: version 2.4.26.
The version 2.4.26 is fixed:
  https://httpd.apache.org/

Apache httpd: version 2.2.34.
The version 2.2.34 is fixed:
  http://httpd.apache.org/

Apache httpd 2.2: patch for ap_find_token.
A patch is available:
  https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch

Apple macOS 10.12: version Security Update 2017-001.
The version Security Update 2017-001 is fixed:
  https://support.apple.com/

Apple macOS: version 10.13.
The version 10.13 is fixed:
  https://www.apple.com/support/downloads/

Apple macOS: version 10.13.1.
The version 10.13.1 is fixed:
  https://support.apple.com/

Apple MacOS X 10.11: version Security Update 2017-004.
The version Security Update 2017-004 is fixed:
  https://support.apple.com/

Debian: new apache2 packages.
New packages are available:
  Debian 7: apache2 2.2.22-13+deb7u9
  Debian 8: apache2 2.4.10-10+deb8u9
  Debian 9: apache2 2.4.25-3+deb9u1

Dell EMC VNXe3200: version 3.1.10.9946299.
The version 3.1.10.9946299 is fixed:
  https://www.dell.com/

Dell EMC VNXe: version MR4 Service Pack 5.
The version MR4 Service Pack 5 is fixed:
  https://www.dell.com/support/

Fedora: new httpd packages.
New packages are available:
  Fedora 24: httpd 2.4.26-1.fc24
  Fedora 25: httpd 2.4.27-2.fc25

Junos Space: fixed versions.
Fixed versions are indicated in information sources.

McAfee ePO: solution for Apache httpd.
The solution is indicated in information sources.

Oracle Solaris: patch for third party software of July 2017 v3.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Oracle VM VirtualBox: version 5.1.30.
The version 5.1.30 is fixed:
  https://www.virtualbox.org/

RHEL 7.4: new httpd packages.
New packages are available:
  RHEL 7: httpd 2.4.6-67.el7_4.2

RHEL: new httpd24-httpd packages.
New packages are available:
  RHEL 6: httpd24-httpd 2.4.25-9.el6.1
  RHEL 7: httpd24-httpd 2.4.25-9.el7.1

Slackware: new httpd packages.
New packages are available:
  Slackware 13.0: httpd 2.2.32-*-1_slack13.0
  Slackware 13.1: httpd 2.2.32-*-1_slack13.1
  Slackware 13.37: httpd 2.2.32-*-1_slack13.37
  Slackware 14.0: httpd 2.4.26-*-1_slack14.0
  Slackware 14.1: httpd 2.4.26-*-1_slack14.1
  Slackware 14.2: httpd 2.4.26-*-1_slack14.2

Stormshield Endpoint Security: versions 6.0.29 and 7.2.18.
Versions 6.0.29 and 7.2.18 are fixed.

Ubuntu 12.04: new apache2.2-bin packages.
New packages are available:
  Ubuntu 12.04 ESM: apache2.2-bin 2.2.22-1ubuntu1.12

Ubuntu: new apache2-bin packages.
New packages are available:
  Ubuntu 17.04: apache2-bin 2.4.25-3ubuntu2.1
  Ubuntu 16.10: apache2-bin 2.4.18-2ubuntu4.2
  Ubuntu 16.04 LTS: apache2-bin 2.4.18-2ubuntu3.3
  Ubuntu 14.04 LTS: apache2-bin 2.4.7-1ubuntu4.16

Wind River Linux: solution of Mid-August 2017.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides network vulnerability bulletins. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.