SB2017070679 - Out-of-bound read in apache2 (Alpine package)
Published: July 6, 2017
Security Bulletin ID
SB2017070679
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bound read (CVE-ID: CVE-2017-7668)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing token lists within ap_find_token() function. A remote unauthenticated attacker can create a specially crafted sequence of HTTP headers and refer to data past the end of the search string.
Successful exploitation of this vulnerability results segmentation fault and web server crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=33c9b879e1ac2712ea308a9c9e642d83b54d690d
- https://git.alpinelinux.org/aports/commit/?id=123bd575ef649725247a39822c96929fc1d5e06b
- https://git.alpinelinux.org/aports/commit/?id=a565b281e6104e1e1f7ec2b18e1e43353c71a483
- https://git.alpinelinux.org/aports/commit/?id=c930c29f44d1c8c27a01acc3e871b48922d3b620
- https://git.alpinelinux.org/aports/commit/?id=f0f780e35d42ebf1bbacad2015da18bf1c42dc74