CVE-2017-9798

Published: Sep 18, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Affected (22)

Products: Apache: Http Server · Debian: Debian Linux

1 product

1 product

Configuration A

19 vulnerable

Vulnerable Software	Affected Versions
Apache Http Server	Up to 2.2.34
Apache Http Server	Version 2.4.0
Apache Http Server	Version 2.4.10
Apache Http Server	Version 2.4.12
Apache Http Server	Version 2.4.16
Apache Http Server	Version 2.4.17
Apache Http Server	Version 2.4.18
Apache Http Server	Version 2.4.1
Apache Http Server	Version 2.4.20
Apache Http Server	Version 2.4.23
Apache Http Server	Version 2.4.25
Apache Http Server	Version 2.4.26
Apache Http Server	Version 2.4.27
Apache Http Server	Version 2.4.2
Apache Http Server	Version 2.4.3
Apache Http Server	Version 2.4.4
Apache Http Server	Version 2.4.6
Apache Http Server	Version 2.4.7
Apache Http Server	Version 2.4.9

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 7.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Related CWEs

CWE-416

Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

References (111)

http://openwall.com/lists/oss-security/2017/09/18/2

Source: security@apache.org

Mailing ListVDB Entry

http://www.debian.org/security/2017/dsa-3980

Source: security@apache.org

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Source: security@apache.org

PatchThird Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Source: security@apache.org

PatchThird Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: security@apache.org

PatchThird Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Source: security@apache.org

PatchThird Party Advisory

http://www.securityfocus.com/bid/100872

Source: security@apache.org

Third Party AdvisoryVDB Entry

http://www.securityfocus.com/bid/105598

Source: security@apache.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1039387

Source: security@apache.org

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2017:2882

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:2972

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3018

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3113

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3114

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3193

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3194

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3195

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3239

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3240

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3475

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3476

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2017:3477

Source: security@apache.org

Third Party Advisory

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Source: security@apache.org

ExploitPatchTechnical DescriptionThird Party Advisory

https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

Source: security@apache.org

ExploitPatchTechnical DescriptionThird Party Advisory

https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a

Source: security@apache.org

PatchVendor Advisory

https://github.com/hannob/optionsbleed

Source: security@apache.org

ExploitThird Party Advisory

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798

Source: security@apache.org

Vendor Advisory

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://security-tracker.debian.org/tracker/CVE-2017-9798

Source: security@apache.org

Third Party Advisory

https://security.gentoo.org/glsa/201710-32

Source: security@apache.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20180601-0003/

Source: security@apache.org

Third Party Advisory

https://support.apple.com/HT208331

Source: security@apache.org

Third Party Advisory

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

Source: security@apache.org

Third Party Advisory

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

Source: security@apache.org

Vendor Advisory

https://www.exploit-db.com/exploits/42745/

Source: security@apache.org

ExploitThird Party AdvisoryVDB Entry

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Source: security@apache.org

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Source: security@apache.org

PatchThird Party Advisory

https://www.tenable.com/security/tns-2019-09

Source: security@apache.org

Third Party Advisory

http://openwall.com/lists/oss-security/2017/09/18/2