CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

William A Rowe Jr
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
all versions through 2.2.33 and 2.4.26

Description:
The value placeholder in [Proxy-]Authorization headers
of type 'Digest' was not initialized or reset
before or between successive key=value assignments.
by mod_auth_digest
Providing an initial key with no '=' assignment
could reflect the stale value of uninitialized pool
memory used by the prior request, leading to leakage
of potentially confidential information, and a segfault

Mitigation:
All users of httpd should upgrade to 2.4.27 (or minimally
2.2.34, which will receive no further security releases.)
Alternately, the administrator could configure httpd to
reject requests with a header matching a complex regular
expression identifing where = character does not occur
in the first key=value pair, as in the following syntax;
[Proxy-]Authorization: Digest key[,key=value]

Credit:
The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.

References:
https://httpd.apache.org/security_report.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

AW: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

Plüm, Rüdiger, Vodafone Group

http://svn.apache.org/r1800955

 

Regards

 

Rüdiger

 

Von: Rashmi Srinivasan [mailto:[hidden email]]
Gesendet: Montag, 17. Juli 2017 07:50
An: [hidden email]
Cc: [hidden email]
Betreff: Re: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

 

Hi,

 

Please can you point us to the patch for this CVE?

 

regards,

Rashmi

 

On Thu, Jul 13, 2017 at 6:32 PM, William A Rowe Jr <[hidden email]> wrote:

CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
all versions through 2.2.33 and 2.4.26

Description:
The value placeholder in [Proxy-]Authorization headers
of type 'Digest' was not initialized or reset
before or between successive key=value assignments.
by mod_auth_digest
Providing an initial key with no '=' assignment
could reflect the stale value of uninitialized pool
memory used by the prior request, leading to leakage
of potentially confidential information, and a segfault

Mitigation:
All users of httpd should upgrade to 2.4.27 (or minimally
2.2.34, which will receive no further security releases.)
Alternately, the administrator could configure httpd to
reject requests with a header matching a complex regular
expression identifing where = character does not occur
in the first key=value pair, as in the following syntax;
[Proxy-]Authorization: Digest key[,key=value]

Credit:
The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.

References:
https://httpd.apache.org/security_report.html

 

Loading...