Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday September 21 2017, @11:17AM   Printer-friendly
from the bleeding-to-death dept.

Submitted via IRC for SoyCow1937

There's a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed.

The vulnerability can be triggered by querying a server with what's known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.

[...] Optionsbleed, by contrast [to Heartbleed], doesn't pose as big a threat, but its effects can still be damaging. The risk is highest for server hosts that allow more than one customer to share a single machine. That's because Optionsbleed allows customers to exploit the flaw in a way that exposes secret data from other customers' hosts on the same system. On the Internet at large, the threat is less serious.

[...] Interestingly, the bug was first identified in 2014. Why it's only now being patched is unclear.

Source: https://arstechnica.com/information-technology/2017/09/apache-bug-leaks-contents-of-server-memory-for-all-to-see-patch-now/

[Note: I checked with TheMightyBuzzard, and was informed that, though SoylentNews does run Apache, our systems are configured in such a way as to not expose OPTIONS. In other words, it is believed that we are not susceptible. --martyb]


Original Submission

Related Stories

Former Equifax CEO Says Breach Boiled Down to One Person Not Doing Their Job 28 comments

Submitted via IRC for Fnord666_

In a continued effort to pass on any responsibility for the largest data breach in American history, Equifax's recently departed CEO is blaming it all on a single person who failed to deploy a patch.

Hackers exposed the Social Security numbers, drivers licenses and other sensitive info of 143 million Americans earlier this summer by exploiting a vulnerability in Apache's Struts software, according to testimony heard today from former CEO Richard Smith. However, a patch for that vulnerability had been available for months before the breach occurred.

Now several top Equifax execs are being taken to task for failing to protect the information of millions of U.S. citizens. In a live stream before the Digital Commerce and Consumer Protection subcommittee of the House Energy and Commerce committee, Smith testified the Struts vulnerability had been discussed when it was first announced by CERT on March 8th.

Smith said when he started with Equifax 12 years ago there was no one in cybersecurity. The company has poured a quarter of a billion dollars into cybersecurity in the last three years and today boasts a 225 person team.

However, Smith had an interesting explainer for how this easy fix slipped by 225 people's notice — one person didn't do their job.

"The human error was that the individual who's responsible for communicating in the organization to apply the patch, did not," Smith, who did not name this individual, told the committee.

Source: https://techcrunch.com/2017/10/03/former-equifax-ceo-says-breach-boiled-down-to-one-person-not-doing-their-job/


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Informative) by AssCork on Thursday September 21 2017, @12:38PM (1 child)

    by AssCork (6255) on Thursday September 21 2017, @12:38PM (#571119) Journal

    For anyone who spewed their morning coffee onto their monitors; here's a bit more context;

    This currently carries a CVSS(v3) score of 5.9 from Red Hat [redhat.com] - so source-based Linux distros that hail from Red Hat's source would (presumably) carry the same severity.
    Of course, this type of thing is entirely why most organizations don't let developers access production systems, and why most people use something a bit more...reliable...than .htaccess files with dorked-up "limit" options.

    Now if you'll excuse me, I have to grab some paper towels, and finish my email to the boss on "Why you should *not* freak-out when you start web-surfing news sites today" before he gets in.

    --
    Just popped-out of a tight spot. Came out mostly clean, too.
    • (Score: 2) by requerdanos on Thursday September 21 2017, @03:27PM

      by requerdanos (5997) Subscriber Badge on Thursday September 21 2017, @03:27PM (#571184) Journal

      "Why you should *not* freak-out when you start web-surfing news sites today" before he gets in.

      Seems pretty healthy to me. I know my regularly-scheduled apt-get update && apt-get upgrade were moved up a little today upon reading this (curiosity, mostly). But then, I am a self-employed server admin and not a traditional server admin's boss.

  • (Score: 0, Flamebait) by TheRaven on Thursday September 21 2017, @01:32PM (3 children)

    by TheRaven (270) on Thursday September 21 2017, @01:32PM (#571139) Journal
    Wasn't that the web server that people used to run back in the early 2000s, but everyone abandoned because of its terrible security record?
    --
    sudo mod me up
    • (Score: 0) by Anonymous Coward on Thursday September 21 2017, @01:57PM

      by Anonymous Coward on Thursday September 21 2017, @01:57PM (#571147)

      The fact that it still is included in repos suggests that quite a few people still use it.

    • (Score: 3, Touché) by requerdanos on Thursday September 21 2017, @03:33PM (1 child)

      by requerdanos (5997) Subscriber Badge on Thursday September 21 2017, @03:33PM (#571187) Journal

      Wasn't that the web server that... everyone abandoned...?

      No, that's not the one. This one is Apache [builtwith.com], which Builtwith reports to be used on about 37% of the top one million websites that they track.

  • (Score: 4, Informative) by NotSanguine on Thursday September 21 2017, @02:07PM (2 children)

    by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Thursday September 21 2017, @02:07PM (#571152) Homepage Journal

    Details are available at CVE-2017-9798 [nist.gov].

    Description

    Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

    The link above contains more links to:
    Patch: https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9 [github.com]
    POC exploit: https://github.com/hannob/optionsbleed [github.com]
    any many other goodies.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 0) by Anonymous Coward on Thursday September 21 2017, @08:56PM (1 child)

      by Anonymous Coward on Thursday September 21 2017, @08:56PM (#571398)

      The "POC exploit" link is jsut a POC tester, it identifies vulnerable hosts doesn't exploit the vulnerability on them. (at least according to the README...)

  • (Score: 2) by DannyB on Thursday September 21 2017, @04:01PM (2 children)

    by DannyB (5839) Subscriber Badge on Thursday September 21 2017, @04:01PM (#571201) Journal

    [Note: I checked with TheMightyBuzzard, and was informed that, though SoylentNews does run Apache, our systems are configured in such a way as to not expose OPTIONS. In other words, it is believed that we are not susceptible. --martyb]

    Yeah, but do you have a security.txt file? :-)

    The fact that you, last time I checked, get a grade of A+ on SSLLabs, demonstrates significant effort in the care of the website.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 2) by bob_super on Thursday September 21 2017, @09:02PM (1 child)

      by bob_super (1357) on Thursday September 21 2017, @09:02PM (#571402)

      Small places with motivated security teams tend to feel safer than huge organizations.

      • (Score: 2) by DannyB on Friday September 22 2017, @03:15PM

        by DannyB (5839) Subscriber Badge on Friday September 22 2017, @03:15PM (#571665) Journal

        Wot? Surely you are not suggesting lapses in how big companies deal with web sites? Like Microsoft letting the microsoft.com domain expire?

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
(1)