edit-icon download-icon

[Vulnerability notice] CVE-2017-9798: "Optionsbleed" - OPTIONS memory leakage vulnerability in Apache HTTP

Last Updated: Apr 08, 2018

On September 18, 2017, the high-risk vulnerability CVE-2017-9798 was detected in Apache. The vulnerability was detected in Apache HTTP 2.2.34 and 2.4.27, and triggered by the ap_limit_section function in the “Limit” instruction. The memory information leaks when the website administrator attempts to use invalid HTTP methods to send HTTP requests in the “Limit” instruction.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-9798

Vulnerability name

“Optionsbleed” - Apache HTTP OPTIONS memory leakage vulnerability

Vulnerability rating

Medium

Vulnerability description

In Apache HTTP 2.2.34 and 2.4.27, a vulnerability is detected in the ap_limit_section function in the “Limit” instruction. This results in memory data leakage when an invalid HTTP method is requested.

Condition and method of exploitation

Remote exploitation

Affected scope

Apache httpd <= 2.2.34/2.4.27

Vulnerability detection

Check whether any affected version of Apache is used.

How to fix or mitigate

Linux vendors have released the latest version. We recommend that you upgrade to the latest version.

Reference

[1]. https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
[2]. https://security-tracker.debian.org/tracker/CVE-2017-9798
[3]. https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9798.html

Thank you! We've received your feedback.