A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash.
Find out more about CVE-2017-9798 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the versions of httpd as shipped with Red Hat Enterprise Linux 5, 6, and 7. This issue affects the versions of httpd24-httpd as shipped with Red Hat Software Collections. Product Security has rated this issue as having Moderate security impact.
In order to be vulnerable, .htaccess files need to contain an invalid or not globally registered HTTP method in a "Limit" directive.
| CVSS3 Base Score | 5.9 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2017:3239 | 2017-11-16 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-httpd) | RHSA-2017:3018 | 2017-10-24 |
| Red Hat Enterprise Linux Extended Update Support 6.7 (httpd) | RHSA-2017:3195 | 2017-11-13 |
| Red Hat Enterprise Linux Extended Update Support 7.2 (httpd) | RHSA-2017:3193 | 2017-11-13 |
| Red Hat JBoss Web Server 2.1 | RHSA-2017:3114 | 2017-11-02 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server | RHSA-2017:3113 | 2017-11-02 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (httpd) | RHSA-2017:3113 | 2017-11-02 |
| Red Hat Enterprise Linux 6 (httpd) | RHSA-2017:2972 | 2017-10-19 |
| Red Hat JBoss Core Services 1 | RHSA-2017:3475 | 2017-12-15 |
| Red Hat Enterprise Linux 7 (httpd) | RHSA-2017:2882 | 2017-10-11 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (httpd) | RHSA-2017:3240 | 2017-11-16 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 (httpd24-httpd) | RHSA-2017:3018 | 2017-10-24 |
| Red Hat JBoss Core Services on RHEL 6 Server | RHSA-2017:3477 | 2017-12-15 |
| Red Hat Enterprise Linux Extended Update Support 7.3 (httpd) | RHSA-2017:3194 | 2017-11-13 |
| Red Hat JBoss Core Services on RHEL 7 Server | RHSA-2017:3476 | 2017-12-15 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2017:3240 | 2017-11-16 |
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Web Server 3 | httpd | Will not fix |
| Red Hat JBoss EWS 1 | httpd | Will not fix |
| Red Hat JBoss EAP 5 | httpd | Not affected |
| Red Hat Enterprise Linux 5 | httpd | Will not fix |
This issue can be mitigated by configuring httpd to disallow the use of the "Limit" configuration directive in .htaccess files. The set of directives that can be used in .htaccess files is configured using the "AllowOverride" directive. Refer to Red Hat Bugzilla bug 1490344 for further details:
https://bugzilla.redhat.com/show_bug.cgi?id=1490344#c18
Vulmon