SA154: Apache httpd Vulnerabilities June 2017
SUMMARY
Symantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities. A remote attacker, with access to the management interface, can cause denial of service through application crashes or bypass required authentication.
AFFECTED PRODUCTS
The following products are vulnerable:
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3169 CVE-2017-7679 |
2.3 and later | Not vulnerable, fixed in 2.3.1.1 |
| 2.2 | Upgrade to later release with fixes. | |
| 1.3, 2.1 | Not vulnerable | |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3167, CVE-2017-3169 CVE-2017-7679 |
6.1 | Upgrade to a version of MC with the fixes. |
| Malware Analysis (MA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3167, CVE-2017-3169 CVE-2017-7668, CVE-2017-7679 |
4.2 | Upgrade to 4.2.12. |
| Security Analytics | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-3167, CVE-2017-3169 CVE-2017-7679 |
8.0 and later | Not vulnerable, fixed in 8.0.1. |
| 7.3 | Upgrade to 7.3.2. | |
| 7.2 | Upgrade to 7.2.5. | |
| 7.1 | Upgrade to later release with fixes. | |
ADDITIONAL PRODUCT INFORMATION
The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
SSL Visibility
Unified Agent
Web Isolation
WSS Agent
X-Series XOS
ISSUES
| CVE-2017-3167 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 99135 / NVD: CVE-2017-3167 |
| Impact | Authentication bypass |
| Description | A flaw in third-party Apache httpd modules allows a remote attacker to bypass required authentication. |
| CVE-2017-3169 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 99134 / NVD: CVE-2017-3169 |
| Impact | Denial of service |
| Description | A flaw in third-party Apache httpd modules allows a remote attacker to send HTTP requests to an HTTPS port and cause denial of service through application crashes. |
| CVE-2017-7659 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 99132 / NVD: CVE-2017-7659 |
| Impact | Denial of service |
| Description | A flaw in HTTP/2 request parsing allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through application crashes. |
| CVE-2017-7668 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 99137 / NVD: CVE-2017-7668 |
| Impact | Denial of service |
| Description | A buffer overread flaw in HTTP request parsing allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes or have unspecified other impact. |
| CVE-2017-7679 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 99170 / NVD: CVE-2017-7679 |
| Impact | Denial of service |
| Description | A buffer overread flaw in HTTP response generation allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes. |
MITIGATION
These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.
By default, Director and MA do not use HTTP Basic Access Authentication in Apache httpd. Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-3167.
REFERENCES
Apache httpd 2.2 vulnerabilities - https://httpd.apache.org/security/vulnerabilities_22.html
Apache httpd 2.4 vulnerabilities - https://httpd.apache.org/security/vulnerabilities_24.html
REVISION
2021-05-19 A fix for Security Analytics 7.2 is available in 7.2.5. WSS Agent is not vulnerable. Moving Advisory Status to Closed.
2020-11-18 A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for Security Analytics 7.3 is available in 7.3.2. Fixes will not be provided for Security Analytics 7.1 and CA 2.2. Please upgrade to a later release with the vulnerabilities fixes. IntelligenceCenter and IntelligenceCenter Data Collector are not vulnerable.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.4. Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2018-07-23 A fix for MA is available in 4.2.12.
2018-04-22 Previously it was reported that Content Analysis is not vulnerable. Further investigation indicates that CA 2.2 is vulnerable to CVE-2017-3169 and CVE-2017-7679. CA 2.3 is not vulnerable because a fix is available in 2.3.1.1.
2017-08-30 Added remaining CVSS v2 scores.
2017-07-20 initial public release