Submitted via IRC for SoyCow1937
There's a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed.
The vulnerability can be triggered by querying a server with what's known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.
[...] Optionsbleed, by contrast [to Heartbleed], doesn't pose as big a threat, but its effects can still be damaging. The risk is highest for server hosts that allow more than one customer to share a single machine. That's because Optionsbleed allows customers to exploit the flaw in a way that exposes secret data from other customers' hosts on the same system. On the Internet at large, the threat is less serious.
[...] Interestingly, the bug was first identified in 2014. Why it's only now being patched is unclear.
[Note: I checked with TheMightyBuzzard, and was informed that, though SoylentNews does run Apache, our systems are configured in such a way as to not expose OPTIONS. In other words, it is believed that we are not susceptible. --martyb]
(Score: 3, Informative) by AssCork on Thursday September 21 2017, @12:38PM (1 child)
For anyone who spewed their morning coffee onto their monitors; here's a bit more context;
This currently carries a CVSS(v3) score of 5.9 from Red Hat [redhat.com] - so source-based Linux distros that hail from Red Hat's source would (presumably) carry the same severity.
Of course, this type of thing is entirely why most organizations don't let developers access production systems, and why most people use something a bit more...reliable...than .htaccess files with dorked-up "limit" options.
Now if you'll excuse me, I have to grab some paper towels, and finish my email to the boss on "Why you should *not* freak-out when you start web-surfing news sites today" before he gets in.
Just popped-out of a tight spot. Came out mostly clean, too.
(Score: 2) by requerdanos on Thursday September 21 2017, @03:27PM
Seems pretty healthy to me. I know my regularly-scheduled apt-get update && apt-get upgrade were moved up a little today upon reading this (curiosity, mostly). But then, I am a self-employed server admin and not a traditional server admin's boss.