Share This:

A vulnerability (CVE-2017-9798) dubbed OptionsBleed has [finally] been patched upstream and is starting to gain some press.

 

The vulnerability can be triggered by badly configured .htaccess files, and the way in which affected Apache versions handle memory. The .htaccess files are recursively consumed through the served directory tree. If any of the .htaccess files has a request method defined in a Limits directive that is either superseded globally, or doesn't exist, then Apache exposes itself to a use-after-free vulnerability.

 

The memory handling bug means that the area of memory in question is freed-up but still used by Apache and potentially then allocated to another part of the running Apache instance. An OPTIONS request can then leak this data.

 

Often, it's being likened to the OpenSSL HeartBleed vulnerability because the vulnerability allows leaked information, this time from httpd (Apache Web Server). There are detailed explanations of the issue on nakedsecurity and arstechnica UK. Red Hat have given the vulnerability a Moderate rating.

 

A target will have to be unlucky timing wise and on a busy server for this to leak anything sensitive - but any leakage is bad.

 

So - Discovery - affected? No, not by default. We do not ship, or configure, any .htaccess files on an Appliance. That said, some vulnerability assessment tools will show the Appliance as vulnerable because we are running a vulnerable version of httpd. The updated version of httpd will be shipped in the next OSU after the patch is released.