Apache HTTP Server Vulnerabilities Jul 2017 - Sep 2018

SUMMARY

Symantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities. A remote attacker can obtain sensitive information, bypass intended security restrictions, modify session information in CGI applications, replay authenticated HTTP requests, and cause denial of service.

AFFECTED PRODUCTS

Content Analysis (CA)

CVE |Affected Version(s)|Remediation
CVE-2017-9788 | 1.3, 2.1 | Not vulnerable
2.2 | Upgrade to later version with fixes.
2.3 and later | Not vulnerable, fixed in 2.3.1.1
CVE-2018-1301, CVE-2018-1303 | 1.3, 2.1 | Not vulnerable
2.2, 2.3 | Upgrade to later version with fixes.
2.4, 3.0, 3.1 | Not available at this time

Director

CVE |Affected Version(s)|Remediation
CVE-2017-9788, CVE-2017-9798,
CVE-2017-15710, CVE-2018-1301,
CVE-2018-1302, CVE-2018-1303,
CVE-2018-1312 | 6.1 | Upgrade to a version of MC with the fixes.

Malware Analysis (MA)

CVE |Affected Version(s)|Remediation
CVE-2018-1301 | 4.2 | Upgrade to 4.2.12.

Security Analytics (SA)

CVE |Affected Version(s)|Remediation
CVE-2018-1301 | 7.1, 7.2, 7.3, 8.0 | Upgrade to later version with fixes.
8.1 | Not vulnerable, fixed in 8.1.1
CVE-2018-1303 | 7.1, 7.2 | Not vulnerable
7.3, 8.0 | Upgrade to later version with fixes.
8.1 | Not vulnerable, fixed in 8.1.1

ADDITIONAL PRODUCT INFORMATION

The following products are not vulnerable:
Advanced Secure Gateway
AuthConnector
BCAAA
CacheFlow
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Reporter
SSL Visibility
Unified Agent
Web Isolation
WSS Mobile Agent
X-Series XOS

ISSUES

CVE-2017-9788

Severity / CVSSv3 | Critical / 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) References| SecurityFocus: BID 99569 / NVD: CVE-2017-9788 Impact| Denial of service Description | A flaw in authorization header handling allows a remote attacker to send HTTP requests with crafted authorization headers and obtain sensitive information from server memory or cause denial of service.

CVE-2017-9789

Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 99568 / NVD: CVE-2017-9789 Impact| Unspecified Description | A flaw in HTTP/2 handling allows a remote attacker to cause the server, while closing many connections under stress, to behave erratically and have unspecified impact.

CVE-2017-9798

Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) References| SecurityFocus: BID 100872 / NVD: CVE-2017-9798 Impact| Denial of service Description | A flaw in HTTP method handling allows a remote attacker to send OPTIONS requests and obtain sensitive information from server memory or cause denial of service.

CVE-2017-12171

Severity / CVSSv3 | Medium / 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) References| SecurityFocus: BID 101516 / NVD: CVE-2017-12171 Impact| Information disclosure Description | A flaw in configuration parsing allows a web administrator to unintentionally grant access to a restricted HTTP resource to any client.

CVE-2017-15710

Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 103512 / NVD: CVE-2017-15710 Impact| Denial of service Description | A flaw in request handling allows a remote attacker to send HTTP requests with crafted Accept-Language headers and cause denial-of-service.

CVE-2017-15715

Severity / CVSSv3 | High / 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) References| SecurityFocus: BID 103525 / NVD: CVE-2017-15715 Impact| Security control bypass Description | A flaw in filename matching allows a remote attacker to upload files with crafted filenames and bypass intended security restrictions.

CVE-2018-1283

Severity / CVSSv3 | Medium / 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N) References| SecurityFocus: BID 103520 / NVD: CVE-2018-1283 Impact| Unauthorized modification of information Description | A flaw in request header handling that allows a remote attacker to modify session information shared from mod_session to CGI applications.

CVE-2018-1301

Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 103515 / NVD: CVE-2018-1301 Impact| Denial of service Description | A flaw in request header handling that allows a remote attacker to send crafted HTTP requests and cause an application crash, resulting in denial of service.

CVE-2018-1302

Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 103528 / NVD: CVE-2018-1302 Impact| Denial of service Description | A flaw in HTTP/2 connection handling allows a remote attacker to send HTTP/2 requests and cause an application crash, resulting in denial of service.

CVE-2018-1303

Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 103522 / NVD: CVE-2018-1303 Impact| Denial of service Description | A flaw in HTTP request handling allows a remote attacker to send crafted HTTP requests and cause an application crash, resulting in denial of service.

CVE-2018-1312

Severity / CVSSv3 | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) References| SecurityFocus: BID 103524 / NVD: CVE-2018-1312 Impact| Authentication bypass Description | A flaw in nonce generation for HTTP Digest authentication challenges allows a remote attacker to replay HTTP requests between servers in the same cluster.

CVE-2018-1333

Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| NVD: CVE-2018-1333 Impact| Denial of service Description | A flaw in worker allocation allows a remote attacker to send crafted HTTP/2 requests and cause worker exhaustion, resulting in denial of service.

CVE-2018-8011

Severity / CVSSv3 | High / 7.5 ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| NVD: CVE-2018-8011 Impact| Denial of service Description | A flaw in request handling allows a remote attacker to send crafted HTTP requests and cause denial-of-service.

CVE-2018-11763

Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 105414 / NVD: CVE-2018-11763 Impact| Denial of service Description | A flaw in HTTP/2 connection handling allows a remote attacker to send continuous large SETTINGS frames and cause denial-of-service.

REFERENCES

Apache HTTP Server 2.2 vulnerabilities - <https://httpd.apache.org/security/vulnerabilities_22.html&gt;
Apache HTTP Server 2.4 vulnerabilities - <https://httpd.apache.org/security/vulnerabilities_24.html&gt;

REVISION

2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-02-18 A fix for CA 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-18 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is vulnerable to CVE-2018-1301 and CVE-2018-1303.
2020-04-08 Content Analysis 2.4 and 3.0 are vulnerable to CVE-2018-1301 and CVE-2018-1303. Security Analytics 8.1 is not vulnerable because a fix is available in 8.1.1.
2020-01-19 A fix for MA 4.2 is available in 4.2.12.
2019-10-03 Web Isolation is not vulnerable.
2019-09-04 Security Analytics 7.3 and 8.0 are vulnerable to CVE-2018-1303. IntelligenceCenter and IntelligenceCenter Data Collector are not vulnerable.
2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. Added remaining CVSS v3 base scores from NVD.
2019-01-21 Security Analytics 8.0 is vulnerable to CVE-2018-1301.
2018-11-14 Security Analytics 7.1, 7.2, and 7.3 are vulnerable to CVE-2018-1301.
2018-11-07 initial public release