Bug 1470748 (CVE-2017-9788)

Summary: CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akhaitov, apmukher, bmaxwell, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dosoudil, duge, erismith, fgavrilo, gzaronik, hhorak, hpham, jawilson, jclere, jdoyle, jkaluza, jondruse, jorton, jshepherd, kent, krathod, lgao, luhliari, mbabacek, mmezynsk, mmiura, mturk, myarboro, pahan, pgier, pjurak, ppalaga, psakar, pslavice, rnetuka, rstancel, rsvoboda, sardella, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.2.34, httpd 2.4.27 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:16:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1470756, 1472846, 1473691, 1473692, 1473693, 1473696, 1473697, 1474738, 1474739, 1474742, 1508875, 1510060, 1510061, 1510062    
Bug Blocks: 1470755, 1490666, 1507692, 1509003, 1513244    

Description Adam Mariš 2017-07-13 14:45:44 UTC 
The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault.

Affected are all versions through 2.2.33 and 2.4.26.

External References:

https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27
Comment 1 Adam Mariš 2017-07-13 15:02:49 UTC 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1470756]
Comment 2 Stefan Cornelius 2017-07-19 08:57:09 UTC 
Patch:

http://svn.apache.org/viewvc?view=revision&revision=1800919
Comment 11 Stefan Cornelius 2017-07-26 13:16:39 UTC 
Mitigation:

If you do not use digest authentication, do not load the "auth_digest_module".

For example, on RHEL 7, this can be done by commenting out or removing the
"LoadModule auth_digest_module modules/mod_auth_digest.so"
line within the /etc/httpd/conf.modules.d/00-base.conf configuration file and restarting the service.

You can then use the "httpd -t -D DUMP_MODULES" command to verify that the module is no longer loaded.
Comment 14 errata-xmlrpc 2017-08-15 18:14:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:2478 https://access.redhat.com/errata/RHSA-2017:2478
Comment 15 errata-xmlrpc 2017-08-15 18:27:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2479 https://access.redhat.com/errata/RHSA-2017:2479
Comment 16 errata-xmlrpc 2017-08-16 23:07:41 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2483
Comment 19 errata-xmlrpc 2017-09-13 16:38:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2017:2708 https://access.redhat.com/errata/RHSA-2017:2708
Comment 20 errata-xmlrpc 2017-09-13 16:50:26 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:2709 https://access.redhat.com/errata/RHSA-2017:2709
Comment 21 errata-xmlrpc 2017-09-13 16:51:29 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:2710 https://access.redhat.com/errata/RHSA-2017:2710
Comment 22 errata-xmlrpc 2017-11-02 19:07:53 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114
Comment 23 errata-xmlrpc 2017-11-02 19:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113
Comment 26 errata-xmlrpc 2017-11-13 17:37:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:3193 https://access.redhat.com/errata/RHSA-2017:3193
Comment 27 errata-xmlrpc 2017-11-13 17:39:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:3195 https://access.redhat.com/errata/RHSA-2017:3195
Comment 28 errata-xmlrpc 2017-11-13 17:41:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:3194 https://access.redhat.com/errata/RHSA-2017:3194
Comment 29 errata-xmlrpc 2017-11-16 19:10:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3239 https://access.redhat.com/errata/RHSA-2017:3239
Comment 30 errata-xmlrpc 2017-11-16 19:28:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:3240 https://access.redhat.com/errata/RHSA-2017:3240