Bug 1470748 (CVE-2017-9788)
Summary: | CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | akhaitov, apmukher, bmaxwell, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dosoudil, duge, erismith, fgavrilo, gzaronik, hhorak, hpham, jawilson, jclere, jdoyle, jkaluza, jondruse, jorton, jshepherd, kent, krathod, lgao, luhliari, mbabacek, mmezynsk, mmiura, mturk, myarboro, pahan, pgier, pjurak, ppalaga, psakar, pslavice, rnetuka, rstancel, rsvoboda, sardella, twalsh, vtunka, weli, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | httpd 2.2.34, httpd 2.4.27 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 03:16:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1470756, 1472846, 1473691, 1473692, 1473693, 1473696, 1473697, 1474738, 1474739, 1474742, 1508875, 1510060, 1510061, 1510062 | ||
Bug Blocks: | 1470755, 1490666, 1507692, 1509003, 1513244 |
Description
Adam Mariš
2017-07-13 14:45:44 UTC
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1470756] Mitigation: If you do not use digest authentication, do not load the "auth_digest_module". For example, on RHEL 7, this can be done by commenting out or removing the "LoadModule auth_digest_module modules/mod_auth_digest.so" line within the /etc/httpd/conf.modules.d/00-base.conf configuration file and restarting the service. You can then use the "httpd -t -D DUMP_MODULES" command to verify that the module is no longer loaded. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:2478 https://access.redhat.com/errata/RHSA-2017:2478 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2479 https://access.redhat.com/errata/RHSA-2017:2479 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2483 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2017:2708 https://access.redhat.com/errata/RHSA-2017:2708 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:2709 https://access.redhat.com/errata/RHSA-2017:2709 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:2710 https://access.redhat.com/errata/RHSA-2017:2710 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114 This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Extended Update Support Via RHSA-2017:3193 https://access.redhat.com/errata/RHSA-2017:3193 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2017:3195 https://access.redhat.com/errata/RHSA-2017:3195 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Extended Update Support Via RHSA-2017:3194 https://access.redhat.com/errata/RHSA-2017:3194 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3239 https://access.redhat.com/errata/RHSA-2017:3239 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:3240 https://access.redhat.com/errata/RHSA-2017:3240 |