Use-after-free error in apache2 (Alpine package)



Published: 2017-07-10
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-9789
CWE-ID CWE-416
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		apache2 (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Use-after-free error

EUVDB-ID: #VU7518

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-9789

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the targeted system.

The weakness exists due to use-after-free condition in the mod_http2 function. A remote attacker can trigger memory corruption and cause the server to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Install update from vendor's website.

Vulnerable software versions

apache2 (Alpine package): 2.4.26-r0

External links

http://git.alpinelinux.org/aports/commit/?id=33c9b879e1ac2712ea308a9c9e642d83b54d690d
http://git.alpinelinux.org/aports/commit/?id=6b9a79f0701cb33053c40b36978e1774a9e90d8e
http://git.alpinelinux.org/aports/commit/?id=833fa41a4d6d73d87df385db7cb1effb9cadada5
http://git.alpinelinux.org/aports/commit/?id=c21717b071b1dcd50c33619ba3785fd9dfbb3640
http://git.alpinelinux.org/aports/commit/?id=c44d3bbc2aeb49f7b8d0b68adaaadeef824b4029


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###