Bug 1470748 - (CVE-2017-9788) CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170711,repo...
: Security
Depends On: 1474738 1470756 1472846 1473691 1473692 1473693 1473696 1473697 1474739 1474742 1508875 1510060 1510061 1510062
Blocks: 1509003 1470755 1490666 1507692 1513244
  Show dependency treegraph
 
Reported: 2017-07-13 10:45 EDT by Adam Mariš
Modified: 2018-07-15 17:31 EDT (History)
47 users (show)

See Also:
Fixed In Version: httpd 2.2.34, httpd 2.4.27
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2478 normal SHIPPED_LIVE Important: httpd security update 2017-08-15 18:11:45 EDT
Red Hat Product Errata RHSA-2017:2479 normal SHIPPED_LIVE Important: httpd security update 2017-08-15 18:23:44 EDT
Red Hat Product Errata RHSA-2017:2483 normal SHIPPED_LIVE Important: httpd24-httpd security update 2017-08-16 23:04:17 EDT
Red Hat Product Errata RHSA-2017:2708 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services security update 2017-09-13 16:37:52 EDT
Red Hat Product Errata RHSA-2017:2709 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services security update 2017-09-13 16:48:46 EDT
Red Hat Product Errata RHSA-2017:2710 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services security update 2017-09-13 16:49:04 EDT
Red Hat Product Errata RHSA-2017:3113 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and bug fix update 2017-11-02 19:15:44 EDT
Red Hat Product Errata RHSA-2017:3114 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and bug fix update 2017-11-02 19:04:48 EDT
Red Hat Product Errata RHSA-2017:3193 normal SHIPPED_LIVE Important: httpd security update 2017-11-13 17:35:40 EST
Red Hat Product Errata RHSA-2017:3194 normal SHIPPED_LIVE Important: httpd security update 2017-11-13 17:36:28 EST
Red Hat Product Errata RHSA-2017:3195 normal SHIPPED_LIVE Important: httpd security update 2017-11-13 17:35:58 EST
Red Hat Product Errata RHSA-2017:3239 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.18 security update 2017-11-21 18:05:17 EST
Red Hat Product Errata RHSA-2017:3240 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.18 security update 2017-11-21 18:17:26 EST

  None (edit)
Description Adam Mariš 2017-07-13 10:45:44 EDT
The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault.

Affected are all versions through 2.2.33 and 2.4.26.

External References:

https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27
Comment 1 Adam Mariš 2017-07-13 11:02:49 EDT
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1470756]
Comment 2 Stefan Cornelius 2017-07-19 04:57:09 EDT
Patch:

http://svn.apache.org/viewvc?view=revision&revision=1800919
Comment 11 Stefan Cornelius 2017-07-26 09:16:39 EDT
Mitigation:

If you do not use digest authentication, do not load the "auth_digest_module".

For example, on RHEL 7, this can be done by commenting out or removing the
"LoadModule auth_digest_module modules/mod_auth_digest.so"
line within the /etc/httpd/conf.modules.d/00-base.conf configuration file and restarting the service.

You can then use the "httpd -t -D DUMP_MODULES" command to verify that the module is no longer loaded.
Comment 14 errata-xmlrpc 2017-08-15 14:14:22 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:2478 https://access.redhat.com/errata/RHSA-2017:2478
Comment 15 errata-xmlrpc 2017-08-15 14:27:00 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2479 https://access.redhat.com/errata/RHSA-2017:2479
Comment 16 errata-xmlrpc 2017-08-16 19:07:41 EDT
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2483
Comment 19 errata-xmlrpc 2017-09-13 12:38:48 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2017:2708 https://access.redhat.com/errata/RHSA-2017:2708
Comment 20 errata-xmlrpc 2017-09-13 12:50:26 EDT
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:2709 https://access.redhat.com/errata/RHSA-2017:2709
Comment 21 errata-xmlrpc 2017-09-13 12:51:29 EDT
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:2710 https://access.redhat.com/errata/RHSA-2017:2710
Comment 22 errata-xmlrpc 2017-11-02 15:07:53 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114
Comment 23 errata-xmlrpc 2017-11-02 15:17:00 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113
Comment 26 errata-xmlrpc 2017-11-13 12:37:51 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:3193 https://access.redhat.com/errata/RHSA-2017:3193
Comment 27 errata-xmlrpc 2017-11-13 12:39:40 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:3195 https://access.redhat.com/errata/RHSA-2017:3195
Comment 28 errata-xmlrpc 2017-11-13 12:41:41 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:3194 https://access.redhat.com/errata/RHSA-2017:3194
Comment 29 errata-xmlrpc 2017-11-16 14:10:59 EST
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3239 https://access.redhat.com/errata/RHSA-2017:3239
Comment 30 errata-xmlrpc 2017-11-16 14:28:17 EST
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:3240 https://access.redhat.com/errata/RHSA-2017:3240

Note You need to log in before you can comment on or make changes to this bug.