Subject:
Mitigation Strategy for Apache 2.2.x < 2.2.33-dev / 2.4.x < 2.4.26: Addressing Critical Vulnerabilities
Tech Stack:
Apache HTTP Server
Date(s) Issued:
- Published: 06/19/2017
- NVD Last Modified: 04/11/2022
Criticality:
- CVSS v2: High, Base Score: 7.5
- CVSS v3: Critical, Base Score: 9.8
Overview:
Multiple critical vulnerabilities have been identified in Apache HTTP Server versions 2.2.x before 2.2.33-dev and 2.4.x before 2.4.26, including authentication bypass, denial of service (DoS), and information disclosure vulnerabilities. Exploitation of these vulnerabilities could allow unauthenticated attackers to bypass authentication requirements, cause a DoS condition, or disclose sensitive information.
Vulnerabilities include:
- CVE-2017-3167: Authentication bypass via ap_get_basic_auth_pw() function misuse.
- CVE-2017-3169 and CVE-2017-7659: DoS via NULL pointer dereference in mod_ssl and mod_http2.
- CVE-2017-7668 and CVE-2017-7679: DoS or sensitive information disclosure via out-of-bounds read in ap_find_token() and mod_mime.
Solution/Mitigation:
-
Upgrade:
- Immediately upgrade to Apache version 2.2.33-dev (for 2.2.x users) or 2.4.26 (for 2.4.x users) or later versions to address these vulnerabilities. Upgrading is the most effective way to mitigate these vulnerabilities.
-
Alternative Measures:
- If an immediate upgrade is not feasible, implement the following temporary measures:
- Access Control: Restrict network access to the Apache server to trusted users and networks.
- Monitoring: Increase monitoring of Apache HTTP Server logs for unusual activities that might indicate an attempt to exploit these vulnerabilities.
-
Sanitize Input:
- While not directly applicable to the vulnerabilities mentioned, always ensure input is properly sanitized to reduce the risk of future vulnerabilities being exploited.
-
Additional Steps:
- Network Segmentation: Implement network segmentation to minimize the impact of a potential compromise.
- Principle of Least Privilege: Ensure that Apache processes run with the least privileges necessary for functionality.
- Security Patches: Regularly apply security patches and updates to the Apache server and underlying operating system.
Confirmation & Additional Information:
- Verification: After upgrading, verify the version of Apache HTTP Server to ensure it is no longer vulnerable. Use version disclosure protections to prevent version numbers from being easily discovered by attackers.
- Stay Updated: Continuously monitor Apache HTTP Server's security advisories for any new vulnerabilities and patches.
Official Resources:
Mitigating these vulnerabilities is crucial for maintaining the security and integrity of your Apache HTTP Server installations. Follow the recommended upgrade and mitigation strategies to protect your systems against potential exploits.
