==================================================================== CERT-Renater Note d'Information No. 2017/VULN186 _____________________________________________________________________ DATE : 20/06/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache HTTP Server versions 2 prior to 2.2.33, 2.4.26. ===================================================================== https://lists.apache.org/thread.html/3e51be301835fad1c4a875b07aa29a15709d34ec3900b262325c67ea@%3Cannounce.httpd.apache.org%3E https://lists.apache.org/thread.html/c1717a43fc07e9bb1bd341c9d4107a865540115f934b0abd8c8ed811@%3Cannounce.httpd.apache.org%3E https://lists.apache.org/thread.html/1d0b746bbaa3a64890fcdab59ee9050aaa633b7143e7d412374e5a9a@%3Cannounce.httpd.apache.org%3E https://lists.apache.org/thread.html/5b8cd901f2018c20abfa865f7a7c98a6ef54b990154a16004110952d@%3Cannounce.httpd.apache.org%3E https://lists.apache.org/thread.html/53ce83a58a8f1fb80a6ecb115fcfc65c530408c10ed66c04ee6f7c4a@%3Cannounce.httpd.apache.org%3E ____________________________________________________________________ CVE-2017-3167: ap_get_basic_auth_pw authentication bypass Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.2.32 httpd 2.4.0 to 2.4.25 Description: Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. Mitigation: 2.2.x users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.x users should upgrade to 2.4.26. Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request. Credit: The Apache HTTP Server security team would like to thank Emmanuel Dreyfus for reporting this issue. References: https://httpd.apache.org/security_report.html ____________________________________________________________________ CVE-2017-3169: mod_ssl null pointer dereference Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.2.32 httpd 2.4.0 to 2.4.25 Description: mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. Mitigation: 2.2.x users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3169.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.x users should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank Vasileios Panopoulos and AdNovum Informatik AG for reporting this issue. References: https://httpd.apache.org/security_report.html ____________________________________________________________________ CVE-2017-7659: mod_http2 null pointer dereference Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.24 (unreleased) httpd 2.4.25 Description: A maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process. Mitigation: 2.4.25 users of mod_http2 should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank Robert Å\x{154}wiÄ\x{153}cki for reporting this issue. References: https://httpd.apache.org/security_report.html ____________________________________________________________________ CVE-2017-7668: ap_find_token buffer overread Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.32 httpd 2.4.24 (unreleased) httpd 2.4.25 Description: The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. Mitigation: 2.2.32 users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7668.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.25 users should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank Javier Jiménez (javijmor@gmail.com) for reporting this issue. References: https://httpd.apache.org/security_report.html ____________________________________________________________________ CVE-2017-7679: mod_mime buffer overread Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.2.0 to 2.2.32 httpd 2.4.0 to 2.4.25 Description: mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. Mitigation: 2.2.x users should either apply the patch available at https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-7679.patch or upgrade in the future to 2.2.33, which is currently unreleased. 2.4.x users should upgrade to 2.4.26. Credit: The Apache HTTP Server security team would like to thank ChenQin and Hanno Böck for reporting this issue. References: https://httpd.apache.org/security_report.html ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================