CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesA Vulnerability in Apache Web Server (A.K.A OptionsBleed) Could Allow for Information Disclosure

A Vulnerability in Apache Web Server (A.K.A OptionsBleed) Could Allow for Information Disclosure

MS-ISAC ADVISORY NUMBER:

2017-087

DATE(S) ISSUED:

09/20/2017

OVERVIEW:

A vulnerability has been discovered in Apache Web Server that could allow for information disclosure. This vulnerability has been named OptionsBleed due to the HTTP method request used to exploit it. Apache Web Server is open source server software that is maintained by the Apache Software Foundation. Successful exploitation of this vulnerability could allow for unauthorized viewing of sensitive information.

THREAT INTELLIGENCE:

There are no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • Apache Web Server version 2.2.34 and prior
  • Apache Web Server version 2.4.27 and prior

RISK:

Government:
  • Large and medium government entities: N/A
  • Small government entities: N/A
Businesses:
  • Large and medium business entities: N/A
  • Small business entities: N/A
Home Users:
N/A

TECHNICAL SUMMARY:

A vulnerability has been discovered in Apache Web Server that could allow for information disclosure. The Optionsbleed vulnerability exists when a misconfigured .htaccess file causes the OPTIONS response to contain data from memory. If any of the HTTP methods an administrator configures in their settings are not applicable, the Optionsbleed vulnerability is triggered and the data returned comes from the memory of the Apache server software, which can include content from other customers or from the server itself and possibly include sensitive information.

An unauthenticated, remote attacker can purposely trigger the vulnerability by sending an HTTP OPTIONS request to the server, affecting both environments where multiple websites are on the same web server or when a single website is on a web server. This can be triggered:

  • on an Apache Web Server hosting multiple websites on the same web server, and the Limit setting of the webserver’s .htaccess file contains the same HTTP method as any of the individual web site’s .htaccess file being hosted by that server;
  • or on any Apache Web Server, regardless of the number of hosted websites, if a non-existent or invalid method is included in the Limit setting of the .htaccess file.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply the patch that is available from Apache source code servers at the following link.
    https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch
  • Ensure that your hosting provider is running a non-affected version of Apache Web Server.
  • For locally hosted Apache Web Servers, verify the .htaccess file configuration.
  • Apply patches from your webserver software vendor when available.
  • Verify no unauthorized system modifications have occurred on the system before applying the patch.
  • Frequently validate type and content of uploaded data.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 4: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 18: Application Software Security CIS Benchmark and Other Tools for Related Technology Arrow Apache HTTP Server