Submitted via IRC for SoyCow1937
There's a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed.
The vulnerability can be triggered by querying a server with what's known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.
[...] Optionsbleed, by contrast [to Heartbleed], doesn't pose as big a threat, but its effects can still be damaging. The risk is highest for server hosts that allow more than one customer to share a single machine. That's because Optionsbleed allows customers to exploit the flaw in a way that exposes secret data from other customers' hosts on the same system. On the Internet at large, the threat is less serious.
[...] Interestingly, the bug was first identified in 2014. Why it's only now being patched is unclear.
[Note: I checked with TheMightyBuzzard, and was informed that, though SoylentNews does run Apache, our systems are configured in such a way as to not expose OPTIONS. In other words, it is believed that we are not susceptible. --martyb]
Related Stories
Submitted via IRC for Fnord666_
In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax's recently departed CEO is blaming it all on a single person who failed to deploy a patch.
Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred.
Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.
Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.
However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice — one person didn't do their job.
"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.
(Score: 3, Informative) by AssCork on Thursday September 21 2017, @12:38PM (1 child)
For anyone who spewed their morning coffee onto their monitors; here's a bit more context;
This currently carries a CVSS(v3) score of 5.9 from Red Hat [redhat.com] - so source-based Linux distros that hail from Red Hat's source would (presumably) carry the same severity.
Of course, this type of thing is entirely why most organizations don't let developers access production systems, and why most people use something a bit more...reliable...than .htaccess files with dorked-up "limit" options.
Now if you'll excuse me, I have to grab some paper towels, and finish my email to the boss on "Why you should *not* freak-out when you start web-surfing news sites today" before he gets in.
Just popped-out of a tight spot. Came out mostly clean, too.
(Score: 2) by requerdanos on Thursday September 21 2017, @03:27PM
Seems pretty healthy to me. I know my regularly-scheduled apt-get update && apt-get upgrade were moved up a little today upon reading this (curiosity, mostly). But then, I am a self-employed server admin and not a traditional server admin's boss.
(Score: 0, Flamebait) by TheRaven on Thursday September 21 2017, @01:32PM (3 children)
sudo mod me up
(Score: 0) by Anonymous Coward on Thursday September 21 2017, @01:57PM
The fact that it still is included in repos suggests that quite a few people still use it.
(Score: 3, Touché) by requerdanos on Thursday September 21 2017, @03:33PM (1 child)
No, that's not the one. This one is Apache [builtwith.com], which Builtwith reports to be used on about 37% of the top one million websites that they track.
(Score: 1, Touché) by Anonymous Coward on Friday September 22 2017, @12:13PM
Netcraft confirms this https://news.netcraft.com/archives/2017/09/11/september-2017-web-server-survey.html#more-25675 [netcraft.com]
(Score: 4, Informative) by NotSanguine on Thursday September 21 2017, @02:07PM (2 children)
Details are available at CVE-2017-9798 [nist.gov].
The link above contains more links to:
Patch: https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9 [github.com]
POC exploit: https://github.com/hannob/optionsbleed [github.com]
any many other goodies.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Thursday September 21 2017, @08:56PM (1 child)
The "POC exploit" link is jsut a POC tester, it identifies vulnerable hosts doesn't exploit the vulnerability on them. (at least according to the README...)
(Score: 2) by NotSanguine on Thursday September 21 2017, @09:08PM
Yeah, I realized that after I posted the comment. Mea Culpa.
You can find an actual exploit at: https://www.exploit-db.com/exploits/42745/ [exploit-db.com]
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by DannyB on Thursday September 21 2017, @04:01PM (2 children)
Yeah, but do you have a security.txt file? :-)
The fact that you, last time I checked, get a grade of A+ on SSLLabs, demonstrates significant effort in the care of the website.
People today are educated enough to repeat what they are taught but not to question what they are taught.
(Score: 2) by bob_super on Thursday September 21 2017, @09:02PM (1 child)
Small places with motivated security teams tend to feel safer than huge organizations.
(Score: 2) by DannyB on Friday September 22 2017, @03:15PM
Wot? Surely you are not suggesting lapses in how big companies deal with web sites? Like Microsoft letting the microsoft.com domain expire?
People today are educated enough to repeat what they are taught but not to question what they are taught.