Possibly most of the users are already aware, yet we may have our readers who are yet not aware of Optionsbleed. Optionsbleed (CVE-2017-9798) is a minor bug of Apache Web Server which may reveal password like data. Users are advised to update to patch. The bug was identified by a freelance journalist H. Böck in 2014 but has only received importance these days and in a dedicated update it has been patched in most repositories. The vulnerability, can be triggered by sending an “OPTIONS” request to the target server, usually used by users to determine which HTTP requests are supported by the server. Under certain conditions, however, the web server may attach the memory data to the response. It should be pointed out that Optionsbleed is no way closest to major matter like Heartbleed, under certain circumstances the Optionsbleed vulnerability can lead to leak of random information (including password). Optionsbleed does not represent a serious threat as only 466 sites in the Top 1 Million Alexa seem to be vulnerable.
However, it is still a pretty bad bug, especially for shared hosting environments as they allow each of the “guests” to capture (or at least they can try to do) the information of other users.
Optionsbleed (CVE-2017-9798) : Details & Patch
Affected Versions are Apache Web Server 2.2.34 and prior, Apache Web Server 2.4.x through 2.4.27. These conditions relate to the usage of the “Limit” option in .htaccess file, the bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method :
---
1 2 3 | <Limit I-Do-Not-Know> Deny me, you, whatever </Limit> |
Obviously the case will be very less prevalent. Most importantly for virtual servers and dedicated servers, Apache official website does not recommend using .htaccess file over the main settings file for better performance.
This bug can be triggered on an Apache Web Server hosting multiple websites on the same web server, and the Limit setting of the webserver’s .htaccess file contains the same HTTP method as any of the individual web site’s .htaccess file being hosted by that server or on any Apache Web Server, regardless of the number of hosted websites, if a non-existent or invalid method is included in the Limit setting of the .htaccess file. Here are some official sources and the patch :
1 2 3 4 5 6 7 8 | https://nakedsecurity.sophos.com/2017/09/19/apache-optionsbleed-vulnerability-what-you-need-to-know/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798 https://www.safecomputing.umich.edu/security-alerts/patch-apache-web-servers-optionsbleed-vulnerability https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html https://www.cisecurity.org/optionsbleed-vulnerability-for-apache-web-servers/ https://support.plesk.com/hc/en-us/articles/115002176913-CVE-2017-9798-Optionsbleed-Apache-memory-leak https://github.com/hannob/optionsbleed https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch |
