A Vulnerability in Apache Web Server (a.k.a. Optionsbleed) Could Allow for Information Disclosure

ITS Advisory Number: 
2017-090
Date(s) Issued: 
Thursday, September 21, 2017
Subject: 
A Vulnerability in Apache Web Server (a.k.a. Optionsbleed) Could Allow for Information Disclosure
Overview: 

A vulnerability has been discovered in Apache Web Server that could allow for information disclosure. This vulnerability has been named Optionsbleed due to the HTTP method request used to exploit it. Apache Web Server is open source server software that is maintained by the Apache Software Foundation. Successful exploitation of this vulnerability could allow for unauthorized viewing of sensitive information.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being actively exploited in the wild. 

Systems Affected: 
  • Apache Web Server version 2.2.34 and prior
  • Apache Web Server version 2.4.27 and prior
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
N/A
Description: 

A vulnerability has been discovered in Apache Web Server that could allow for information disclosure. The Optionsbleed vulnerability exists when a misconfigured .htaccess file causes the OPTIONS response to contain data from memory. If any of the HTTP methods an administrator configures in their settings are not applicable, the Optionsbleed vulnerability is triggered and the data returned comes from the memory of the Apache server software, which can include content from other websites or from the server itself and possibly include sensitive information.

An unauthenticated, remote attacker can purposely trigger the vulnerability by sending an HTTP OPTIONS request to the server, affecting both environments where multiple websites are on the same web server or when a single website is on a web server. This can be triggered:

  • on an Apache Web Server hosting multiple websites on the same web server and when the Limit setting of the webserver's .htaccess file contains the same HTTP method as any of the individual web site's .htaccess file being hosted by that server;
  • or on any Apache Web Server, regardless of the number of hosted websites, if a non-existent or invalid method is included in the Limit setting of the .htaccess file.

An unauthenticated, remote attacker can also create a website on the web server and purposefully trigger the Optionsbleed bug in their .htaccess file and continuously run OPTIONS requests in order to gather leaked data from a webserver.

Successful exploitation of this vulnerability results in additional information being returned that could possibly contain sensitive information.

Actions: 
  • After appropriate testing, immediately apply the patch that is available from Apache source code servers.
  • Ensure that your hosting provider is running a non-affected version of Apache Web Server.
  • For locally hosted Apache Web Servers, verify the .htaccess file configuration.
  • Verify no unauthorized system modifications have occurred on the system before applying the patch.
  • Frequently validate type and content of uploaded data.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.