| Description: | Summary:
The remote host is missing an update for the 'httpd'
package(s) announced via the referenced advisory.
Vulnerability Insight:
The httpd packages provide the Apache HTTP
Server, a powerful, efficient, and extensible web server. Security Fix(es): * It
was discovered that the httpd's mod_auth_digest module did not properly
initialize memory before using it when processing certain headers related to
digest authentication. A remote attacker could possibly use this flaw to
disclose potentially sensitive information or cause httpd child process to crash
by sending specially crafted requests to a server. (CVE-2017-9788) * It was
discovered that the use of httpd's ap_get_basic_auth_pw() API function outside
of the authentication phase could lead to authentication bypass. A remote
attacker could possibly use this flaw to bypass required authentication if the
API was used incorrectly by one of the modules used by httpd. (CVE-2017-3167) *
A NULL pointer dereference flaw was found in the httpd's mod_ssl module. A
remote attacker could use this flaw to cause an httpd child process to crash if
another module used by httpd called a certain API function during the processing
of an HTTPS request. (CVE-2017-3169) * A buffer over-read flaw was found in the
httpd's ap_find_token() function. A remote attacker could use this flaw to cause
httpd child process to crash via a specially crafted HTTP request.
(CVE-2017-7668) * A buffer over-read flaw was found in the httpd's mod_mime
module. A user permitted to modify httpd's MIME configuration could use this
flaw to cause httpd child process to crash. (CVE-2017-7679)
Affected Software/OS:
httpd on Red Hat Enterprise Linux Server (v. 7)
Solution:
Please Install the Updated Packages.
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
