Bug 1470748 (CVE-2017-9788) - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
Summary: CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest
Status: NEW
Alias: CVE-2017-9788
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170711,repo...
Keywords: Security
Depends On: 1474738 1470756 1472846 1473691 1473692 1473693 1473696 1473697 1474739 1474742 1508875 1510060 1510061 1510062
Blocks: 1509003 1470755 1490666 1507692 1513244
TreeView+ depends on / blocked
 
Reported: 2017-07-13 14:45 UTC by Adam Mariš
Modified: 2018-10-19 21:42 UTC (History)
46 users (show)

Fixed In Version: httpd 2.2.34, httpd 2.4.27
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2478 normal SHIPPED_LIVE Important: httpd security update 2017-08-15 22:11:45 UTC
Red Hat Product Errata RHSA-2017:2479 normal SHIPPED_LIVE Important: httpd security update 2017-08-15 22:23:44 UTC
Red Hat Product Errata RHSA-2017:2483 normal SHIPPED_LIVE Important: httpd24-httpd security update 2017-08-17 03:04:17 UTC
Red Hat Product Errata RHSA-2017:2708 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services security update 2017-09-13 20:37:52 UTC
Red Hat Product Errata RHSA-2017:2709 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services security update 2017-09-13 20:48:46 UTC
Red Hat Product Errata RHSA-2017:2710 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services security update 2017-09-13 20:49:04 UTC
Red Hat Product Errata RHSA-2017:3113 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and bug fix update 2017-11-02 23:15:44 UTC
Red Hat Product Errata RHSA-2017:3114 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and bug fix update 2017-11-02 23:04:48 UTC
Red Hat Product Errata RHSA-2017:3193 normal SHIPPED_LIVE Important: httpd security update 2017-11-13 22:35:40 UTC
Red Hat Product Errata RHSA-2017:3194 normal SHIPPED_LIVE Important: httpd security update 2017-11-13 22:36:28 UTC
Red Hat Product Errata RHSA-2017:3195 normal SHIPPED_LIVE Important: httpd security update 2017-11-13 22:35:58 UTC
Red Hat Product Errata RHSA-2017:3239 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.18 security update 2017-11-21 23:05:17 UTC
Red Hat Product Errata RHSA-2017:3240 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.18 security update 2017-11-21 23:17:26 UTC

Description Adam Mariš 2017-07-13 14:45:44 UTC
The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no '=' assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault.

Affected are all versions through 2.2.33 and 2.4.26.

External References:

https://httpd.apache.org/security/vulnerabilities_22.html#2.2.34
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27

Comment 1 Adam Mariš 2017-07-13 15:02:49 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1470756]

Comment 2 Stefan Cornelius 2017-07-19 08:57:09 UTC
Patch:

http://svn.apache.org/viewvc?view=revision&revision=1800919

Comment 11 Stefan Cornelius 2017-07-26 13:16:39 UTC
Mitigation:

If you do not use digest authentication, do not load the "auth_digest_module".

For example, on RHEL 7, this can be done by commenting out or removing the
"LoadModule auth_digest_module modules/mod_auth_digest.so"
line within the /etc/httpd/conf.modules.d/00-base.conf configuration file and restarting the service.

You can then use the "httpd -t -D DUMP_MODULES" command to verify that the module is no longer loaded.

Comment 14 errata-xmlrpc 2017-08-15 18:14:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:2478 https://access.redhat.com/errata/RHSA-2017:2478

Comment 15 errata-xmlrpc 2017-08-15 18:27:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2479 https://access.redhat.com/errata/RHSA-2017:2479

Comment 16 errata-xmlrpc 2017-08-16 23:07:41 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2483

Comment 19 errata-xmlrpc 2017-09-13 16:38:48 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2017:2708 https://access.redhat.com/errata/RHSA-2017:2708

Comment 20 errata-xmlrpc 2017-09-13 16:50:26 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:2709 https://access.redhat.com/errata/RHSA-2017:2709

Comment 21 errata-xmlrpc 2017-09-13 16:51:29 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:2710 https://access.redhat.com/errata/RHSA-2017:2710

Comment 22 errata-xmlrpc 2017-11-02 19:07:53 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114

Comment 23 errata-xmlrpc 2017-11-02 19:17:00 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113

Comment 26 errata-xmlrpc 2017-11-13 17:37:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:3193 https://access.redhat.com/errata/RHSA-2017:3193

Comment 27 errata-xmlrpc 2017-11-13 17:39:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:3195 https://access.redhat.com/errata/RHSA-2017:3195

Comment 28 errata-xmlrpc 2017-11-13 17:41:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:3194 https://access.redhat.com/errata/RHSA-2017:3194

Comment 29 errata-xmlrpc 2017-11-16 19:10:59 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3239 https://access.redhat.com/errata/RHSA-2017:3239

Comment 30 errata-xmlrpc 2017-11-16 19:28:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:3240 https://access.redhat.com/errata/RHSA-2017:3240


Note You need to log in before you can comment on or make changes to this bug.