Bug 1493056 (CVE-2017-12171) - CVE-2017-12171 httpd: # character matches all IPs
Summary: CVE-2017-12171 httpd: # character matches all IPs
Alias: CVE-2017-12171
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1493060 1493061
Blocks: 1490435
TreeView+ depends on / blocked
Reported: 2017-09-19 09:24 UTC by Stefan Cornelius
Modified: 2021-02-17 01:29 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A regression was found in the Red Hat Enterprise Linux 6.9 version of httpd, causing comments in the "Allow" and "Deny" configuration lines to be parsed incorrectly. A web administrator could unintentionally allow any client to access a restricted HTTP resource.
Clone Of:
Last Closed: 2017-10-24 11:46:51 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2972 0 normal SHIPPED_LIVE Moderate: httpd security update 2017-10-19 19:26:43 UTC

Description Stefan Cornelius 2017-09-19 09:24:09 UTC
httpd in RHEL 6.9 does not properly parse comments, resulting in the '#' character in "Allow" statements to accidentally match all IP addresses. This can lead to a bypass of intended security restrictions.


Comment 1 Stefan Cornelius 2017-09-19 09:24:12 UTC

Name: KAWAHARA Masashi

Comment 8 errata-xmlrpc 2017-10-19 15:27:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:2972 https://access.redhat.com/errata/RHSA-2017:2972

Note You need to log in before you can comment on or make changes to this bug.