Stories
Slash Boxes
Comments

SoylentNews is people

Apache Bug Leaks Contents of Server Memory for All to See—Patch Now

posted by Fnord666 on Thursday September 21 2017, @11:17AM   Printer-friendly
from the bleeding-to-death dept.

MrPlow writes:

Submitted via IRC for SoyCow1937

There's a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed.

The vulnerability can be triggered by querying a server with what's known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.

[...] Optionsbleed, by contrast [to Heartbleed], doesn't pose as big a threat, but its effects can still be damaging. The risk is highest for server hosts that allow more than one customer to share a single machine. That's because Optionsbleed allows customers to exploit the flaw in a way that exposes secret data from other customers' hosts on the same system. On the Internet at large, the threat is less serious.

[...] Interestingly, the bug was first identified in 2014. Why it's only now being patched is unclear.

Source: https://arstechnica.com/information-technology/2017/09/apache-bug-leaks-contents-of-server-memory-for-all-to-see-patch-now/

[Note: I checked with TheMightyBuzzard, and was informed that, though SoylentNews does run Apache, our systems are configured in such a way as to not expose OPTIONS. In other words, it is believed that we are not susceptible. --martyb]

Original Submission

 
This discussion has been archived. No new comments can be posted.
Apache Bug Leaks Contents of Server Memory for All to See—Patch Now | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Informative) by NotSanguine on Thursday September 21 2017, @02:07PM (2 children)

    by NotSanguine (285) <{NotSanguine} {at} {SoylentNews.Org}> on Thursday September 21 2017, @02:07PM (#571152) Homepage Journal

    Details are available at CVE-2017-9798 [nist.gov].

    Description

    Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

    The link above contains more links to:
    Patch: https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9 [github.com]
    POC exploit: https://github.com/hannob/optionsbleed [github.com]
    any many other goodies.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    Starting Score:    1  point
    Moderation   +2  
       Informative=2, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 0) by Anonymous Coward on Thursday September 21 2017, @08:56PM (1 child)

    by Anonymous Coward on Thursday September 21 2017, @08:56PM (#571398)

    The "POC exploit" link is jsut a POC tester, it identifies vulnerable hosts doesn't exploit the vulnerability on them. (at least according to the README...)