9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Symantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities. A remote attacker can obtain sensitive information, bypass intended security restrictions, modify session information in CGI applications, replay authenticated HTTP requests, and cause denial of service.
CVE |Affected Version(s)|Remediation
CVE-2017-9788 | 1.3, 2.1 | Not vulnerable
2.2 | Upgrade to later version with fixes.
2.3 and later | Not vulnerable, fixed in 2.3.1.1
CVE-2018-1301, CVE-2018-1303 | 1.3, 2.1 | Not vulnerable
2.2, 2.3 | Upgrade to later version with fixes.
2.4, 3.0, 3.1 | Not available at this time
CVE |Affected Version(s)|Remediation
CVE-2017-9788, CVE-2017-9798,
CVE-2017-15710, CVE-2018-1301,
CVE-2018-1302, CVE-2018-1303,
CVE-2018-1312 | 6.1 | Upgrade to a version of MC with the fixes.
CVE |Affected Version(s)|Remediation
CVE-2018-1301 | 4.2 | Upgrade to 4.2.12.
CVE |Affected Version(s)|Remediation
CVE-2018-1301 | 7.1, 7.2, 7.3, 8.0 | Upgrade to later version with fixes.
8.1 | Not vulnerable, fixed in 8.1.1
CVE-2018-1303 | 7.1, 7.2 | Not vulnerable
7.3, 8.0 | Upgrade to later version with fixes.
8.1 | Not vulnerable, fixed in 8.1.1
The following products are not vulnerable:
Advanced Secure Gateway
AuthConnector
BCAAA
CacheFlow
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
HSM Agent for the Luna SP
IntelligenceCenter
IntelligenceCenter Data Collector
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Reporter
SSL Visibility
Unified Agent
Web Isolation
WSS Mobile Agent
X-Series XOS
Severity / CVSSv3 | Critical / 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) References| SecurityFocus: BID 99569 / NVD: CVE-2017-9788 Impact| Denial of service Description | A flaw in authorization header handling allows a remote attacker to send HTTP requests with crafted authorization headers and obtain sensitive information from server memory or cause denial of service.
Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 99568 / NVD: CVE-2017-9789 Impact| Unspecified Description | A flaw in HTTP/2 handling allows a remote attacker to cause the server, while closing many connections under stress, to behave erratically and have unspecified impact.
Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) References| SecurityFocus: BID 100872 / NVD: CVE-2017-9798 Impact| Denial of service Description | A flaw in HTTP method handling allows a remote attacker to send OPTIONS requests and obtain sensitive information from server memory or cause denial of service.
Severity / CVSSv3 | Medium / 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) References| SecurityFocus: BID 101516 / NVD: CVE-2017-12171 Impact| Information disclosure Description | A flaw in configuration parsing allows a web administrator to unintentionally grant access to a restricted HTTP resource to any client.
Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 103512 / NVD: CVE-2017-15710 Impact| Denial of service Description | A flaw in request handling allows a remote attacker to send HTTP requests with crafted Accept-Language headers and cause denial-of-service.
Severity / CVSSv3 | High / 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) References| SecurityFocus: BID 103525 / NVD: CVE-2017-15715 Impact| Security control bypass Description | A flaw in filename matching allows a remote attacker to upload files with crafted filenames and bypass intended security restrictions.
Severity / CVSSv3 | Medium / 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N) References| SecurityFocus: BID 103520 / NVD: CVE-2018-1283 Impact| Unauthorized modification of information Description | A flaw in request header handling that allows a remote attacker to modify session information shared from mod_session to CGI applications.
Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 103515 / NVD: CVE-2018-1301 Impact| Denial of service Description | A flaw in request header handling that allows a remote attacker to send crafted HTTP requests and cause an application crash, resulting in denial of service.
Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 103528 / NVD: CVE-2018-1302 Impact| Denial of service Description | A flaw in HTTP/2 connection handling allows a remote attacker to send HTTP/2 requests and cause an application crash, resulting in denial of service.
Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 103522 / NVD: CVE-2018-1303 Impact| Denial of service Description | A flaw in HTTP request handling allows a remote attacker to send crafted HTTP requests and cause an application crash, resulting in denial of service.
Severity / CVSSv3 | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) References| SecurityFocus: BID 103524 / NVD: CVE-2018-1312 Impact| Authentication bypass Description | A flaw in nonce generation for HTTP Digest authentication challenges allows a remote attacker to replay HTTP requests between servers in the same cluster.
Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| NVD: CVE-2018-1333 Impact| Denial of service Description | A flaw in worker allocation allows a remote attacker to send crafted HTTP/2 requests and cause worker exhaustion, resulting in denial of service.
Severity / CVSSv3 | High / 7.5 ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| NVD: CVE-2018-8011 Impact| Denial of service Description | A flaw in request handling allows a remote attacker to send crafted HTTP requests and cause denial-of-service.
Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 105414 / NVD: CVE-2018-11763 Impact| Denial of service Description | A flaw in HTTP/2 connection handling allows a remote attacker to send continuous large SETTINGS frames and cause denial-of-service.
Apache HTTP Server 2.2 vulnerabilities - <https://httpd.apache.org/security/vulnerabilities_22.html>
Apache HTTP Server 2.4 vulnerabilities - <https://httpd.apache.org/security/vulnerabilities_24.html>
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-02-18 A fix for CA 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-18 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is vulnerable to CVE-2018-1301 and CVE-2018-1303.
2020-04-08 Content Analysis 2.4 and 3.0 are vulnerable to CVE-2018-1301 and CVE-2018-1303. Security Analytics 8.1 is not vulnerable because a fix is available in 8.1.1.
2020-01-19 A fix for MA 4.2 is available in 4.2.12.
2019-10-03 Web Isolation is not vulnerable.
2019-09-04 Security Analytics 7.3 and 8.0 are vulnerable to CVE-2018-1303. IntelligenceCenter and IntelligenceCenter Data Collector are not vulnerable.
2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. Added remaining CVSS v3 base scores from NVD.
2019-01-21 Security Analytics 8.0 is vulnerable to CVE-2018-1301.
2018-11-14 Security Analytics 7.1, 7.2, and 7.3 are vulnerable to CVE-2018-1301.
2018-11-07 initial public release
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P