The Apache HTTPd 2.4.26, released Monday, is a security release that contains patches for five vulnerabilities rated important. The flaws could allow attackers to bypass authentication requirements, crash the server process, or trigger buffer overreads.
Four of these vulnerabilities also affect Apache HTTPd 2.2.x and will be addressed in version 2.2.33, which hasn’t been released yet. Until then, the server developers released patches that can be applied manually.
The authentication bypass vulnerability, CVE-2017-3167, is the most serious one and received a preliminary rating of 7.4 in the Common Vulnerability Scoring System (CVSS) from Red Hat.
The issue stems from the use of the ap_get_basic_auth_pw() function and can result in requests being incorrectly authenticated. The Apache HTTP Server Project recommends that third-party module developers start using the ap_get_basic_auth_components() function instead.
A NULL pointer dereference can occur in mod_ssl when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. This issue, tracked as CVE-2017-3169, can lead to a denial-of-service (DoS) condition.
Another NULL pointer dereference issue (CVE-2017-7659) that can lead to a server crash was identified and fixed in mod_http2. This vulnerability only affects the 2.4.x HTTPd branch and can be exploited by sending a maliciously crafted HTTP/2 request to the server.
The other two patched vulnerabilities, CVE-2017-7668 and CVE-2017-7679, are buffer overreads in ap_find_token() and mod_mime, respectively. Attackers can exploit these issues to cause segmentation faults by sending a malicious sequence of request headers to the server or by sending a specially crafted Content-Type response header.
Web server administrators should monitor for updated HTTPd packages from their Linux distributions and should apply the patches as soon as possible to avoid potential attacks.
Red Hat is a sponsor of The New Stack.
Feature image via Pixabay.