Apache HTTP Server Vulnerabilities Jul 2017 - Sep 2018
SUMMARY
Symantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities. A remote attacker can obtain sensitive information, bypass intended security restrictions, modify session information in CGI applications, replay authenticated HTTP requests, and cause denial of service.
AFFECTED PRODUCTS
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-9788 | 1.3, 2.1 | Not vulnerable |
| 2.2 | Upgrade to later version with fixes. | |
| 2.3 and later | Not vulnerable, fixed in 2.3.1.1 | |
| CVE-2018-1301, CVE-2018-1303 | 1.3, 2.1 | Not vulnerable |
| 2.2, 2.3 | Upgrade to later version with fixes. | |
| 2.4, 3.0 | Not available at this time | |
| 3.1 | Upgrade to 3.1.3.2 | |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-9788, CVE-2017-9798, CVE-2017-15710, CVE-2018-1301, CVE-2018-1302, CVE-2018-1303, CVE-2018-1312 |
6.1 | Upgrade to a version of MC with the fixes. |
| Malware Analysis (MA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-1301 | 4.2 | Upgrade to 4.2.12. |
| Security Analytics (SA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-1301 | 7.1, 7.2, 7.3, 8.0 | Upgrade to later version with fixes. |
| 8.1 | Not vulnerable, fixed in 8.1.1 | |
| CVE-2018-1303 | 7.1, 7.2 | Not vulnerable |
| 7.3, 8.0 | Upgrade to later version with fixes. | |
| 8.1 | Not vulnerable, fixed in 8.1.1 | |
ADDITIONAL PRODUCT INFORMATION
The following products are not vulnerable:
Advanced Secure Gateway
AuthConnector
BCAAA
CacheFlow
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
HSM Agent for the Luna SP
Integrated Secure Gateway (ISG)
IntelligenceCenter
IntelligenceCenter Data Collector
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Reporter
SSL Visibility
Unified Agent
Web Isolation
WSS Mobile Agent
X-Series XOS
ISSUES
| CVE-2017-9788 | |
|---|---|
| Severity / CVSSv3 | Critical / 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) |
| References | SecurityFocus: BID 99569 / NVD: CVE-2017-9788 |
| Impact | Denial of service |
| Description | A flaw in authorization header handling allows a remote attacker to send HTTP requests with crafted authorization headers and obtain sensitive information from server memory or cause denial of service. |
| CVE-2017-9789 | |
|---|---|
| Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References | SecurityFocus: BID 99568 / NVD: CVE-2017-9789 |
| Impact | Unspecified |
| Description | A flaw in HTTP/2 handling allows a remote attacker to cause the server, while closing many connections under stress, to behave erratically and have unspecified impact. |
| CVE-2017-9798 | |
|---|---|
| Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 100872 / NVD: CVE-2017-9798 |
| Impact | Denial of service |
| Description | A flaw in HTTP method handling allows a remote attacker to send OPTIONS requests and obtain sensitive information from server memory or cause denial of service. |
| CVE-2017-12171 | |
|---|---|
| Severity / CVSSv3 | Medium / 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) |
| References | SecurityFocus: BID 101516 / NVD: CVE-2017-12171 |
| Impact | Information disclosure |
| Description | A flaw in configuration parsing allows a web administrator to unintentionally grant access to a restricted HTTP resource to any client. |
| CVE-2017-15710 | |
|---|---|
| Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References | SecurityFocus: BID 103512 / NVD: CVE-2017-15710 |
| Impact | Denial of service |
| Description | A flaw in request handling allows a remote attacker to send HTTP requests with crafted Accept-Language headers and cause denial-of-service. |
| CVE-2017-15715 | |
|---|---|
| Severity / CVSSv3 | High / 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| References | SecurityFocus: BID 103525 / NVD: CVE-2017-15715 |
| Impact | Security control bypass |
| Description | A flaw in filename matching allows a remote attacker to upload files with crafted filenames and bypass intended security restrictions. |
| CVE-2018-1283 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N) |
| References | SecurityFocus: BID 103520 / NVD: CVE-2018-1283 |
| Impact | Unauthorized modification of information |
| Description | A flaw in request header handling that allows a remote attacker to modify session information shared from mod_session to CGI applications. |
| CVE-2018-1301 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References | SecurityFocus: BID 103515 / NVD: CVE-2018-1301 |
| Impact | Denial of service |
| Description | A flaw in request header handling that allows a remote attacker to send crafted HTTP requests and cause an application crash, resulting in denial of service. |
| CVE-2018-1302 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References | SecurityFocus: BID 103528 / NVD: CVE-2018-1302 |
| Impact | Denial of service |
| Description | A flaw in HTTP/2 connection handling allows a remote attacker to send HTTP/2 requests and cause an application crash, resulting in denial of service. |
| CVE-2018-1303 | |
|---|---|
| Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References | SecurityFocus: BID 103522 / NVD: CVE-2018-1303 |
| Impact | Denial of service |
| Description | A flaw in HTTP request handling allows a remote attacker to send crafted HTTP requests and cause an application crash, resulting in denial of service. |
| CVE-2018-1312 | |
|---|---|
| Severity / CVSSv3 | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| References | SecurityFocus: BID 103524 / NVD: CVE-2018-1312 |
| Impact | Authentication bypass |
| Description | A flaw in nonce generation for HTTP Digest authentication challenges allows a remote attacker to replay HTTP requests between servers in the same cluster. |
| CVE-2018-1333 | |
|---|---|
| Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References | NVD: CVE-2018-1333 |
| Impact | Denial of service |
| Description | A flaw in worker allocation allows a remote attacker to send crafted HTTP/2 requests and cause worker exhaustion, resulting in denial of service. |
| CVE-2018-8011 | |
|---|---|
| Severity / CVSSv3 | High / 7.5 ( AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References | NVD: CVE-2018-8011 |
| Impact | Denial of service |
| Description | A flaw in request handling allows a remote attacker to send crafted HTTP requests and cause denial-of-service. |
| CVE-2018-11763 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References | SecurityFocus: BID 105414 / NVD: CVE-2018-11763 |
| Impact | Denial of service |
| Description | A flaw in HTTP/2 connection handling allows a remote attacker to send continuous large SETTINGS frames and cause denial-of-service. |
REFERENCES
Apache HTTP Server 2.2 vulnerabilities - https://httpd.apache.org/security/vulnerabilities_22.html
Apache HTTP Server 2.4 vulnerabilities - https://httpd.apache.org/security/vulnerabilities_24.html
REVISION
2022-06-09 Integrated Secure Gateway (ISG) is not vulnerable.
2022-02-16 A fix for CA 3.1 is available in 3.1.3.2.
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-02-18 A fix for CA 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-18 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is vulnerable to CVE-2018-1301 and CVE-2018-1303.
2020-04-08 Content Analysis 2.4 and 3.0 are vulnerable to CVE-2018-1301 and CVE-2018-1303. Security Analytics 8.1 is not vulnerable because a fix is available in 8.1.1.
2020-01-19 A fix for MA 4.2 is available in 4.2.12.
2019-10-03 Web Isolation is not vulnerable.
2019-09-04 Security Analytics 7.3 and 8.0 are vulnerable to CVE-2018-1303. IntelligenceCenter and IntelligenceCenter Data Collector are not vulnerable.
2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. Added remaining CVSS v3 base scores from NVD.
2019-01-21 Security Analytics 8.0 is vulnerable to CVE-2018-1301.
2018-11-14 Security Analytics 7.1, 7.2, and 7.3 are vulnerable to CVE-2018-1301.
2018-11-07 initial public release