SB2016070601 - Certificate authentication bypass in Apache HTTP Server
Published: July 6, 2016
Security Bulletin ID
SB2016070601
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Client certificate authentication bypass (CVE-ID: CVE-2016-4979)
The vulnerability allows a remote attacker to bypass client certificate authentication.
The vulnerability exists due to HTTP/2 certificate validation error. A remote unauthenticated attacker can bypass client certificate authentication and access web resources on the target system.
Systems using the mod_http2 module with activated h2 and h2c protocols in configuration are affected.
Successful exploitation of this vulnerability may result unauthorized access to resources on the web server.
Remediation
Install update from vendor's website.