Arch Linux Security Advisory ASA-201706-34

Severity: High
Date : 2017-06-28
CVE-ID : CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668
CVE-2017-7679
Package : apache
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-316

Summary

The package apache before version 2.4.26-1 is vulnerable to multiple
issues including denial of service, information disclosure and
authentication bypass.

Resolution

Upgrade to 2.4.26-1.

pacman -Syu “apache>=2.4.26-1”

The problems have been fixed upstream in version 2.4.26.

Workaround

None.

Description

• CVE-2017-3167 (authentication bypass)

An authentication bypass flaw has been found in Apache httpd < 2.4.26,
where the use of the ap_get_basic_auth_pw() function by third-party
modules outside of the authentication phase may lead to authentication
requirements being bypassed. Third-party module writers SHOULD use
ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead
of ap_get_basic_auth_pw(). Modules which call the legacy
ap_get_basic_auth_pw() during the authentication phase MUST either
immediately authenticate the user after the call, or else stop the
request immediately with an error response, to avoid incorrectly
authenticating the current request.

• CVE-2017-3169 (denial of service)

A NULL-pointer dereference leading to denial of service has been found
in the mod_ssl component of Apache httpd < 2.4.26. mod_ssl may
dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.

• CVE-2017-7659 (denial of service)

A NULL-pointer dereference leading to denial of service has been found
in the mod_http2 component of Apache httpd < 2.4.26. A maliciously
constructed HTTP/2 request could cause mod_http2 to dereference a NULL
pointer and crash the server process.

• CVE-2017-7668 (information disclosure)

An out-of-bounds read has been found in Apache httpd < 2.4.26. The HTTP
strict parsing changes added in 2.2.32 and 2.4.24 introduced a bug in
token list parsing, which allows ap_find_token() to search past the end
of its input string. By maliciously crafting a sequence of request
headers, an attacker may be able to cause a segmentation fault, or to
force ap_find_token() to return an incorrect value.

• CVE-2017-7679 (denial of service)

An out-of-bounds read has been found in Apache httpd < 2.4.26, where
mod_mime can read one byte past the end of a buffer when a malicious
Content-Type response header is sent.

Impact

A remote attacker can crash an apache server or obtain sensitive
information from the host by performing a maliciously-crafted HTTP
request. In addition, a malicious attacker can bypass a server’s
authentication requirements via maliciously-crafted request headers.

References

https://httpd.apache.org/security/vulnerabilities_24.html
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
https://security.archlinux.org/CVE-2017-3167
https://security.archlinux.org/CVE-2017-3169
https://security.archlinux.org/CVE-2017-7659
https://security.archlinux.org/CVE-2017-7668
https://security.archlinux.org/CVE-2017-7679