Out-of-bounds read in Apache HTTP Server

#VU7119 Out-of-bounds read in Apache HTTP Server

Published: 2020-03-18 | Updated: 2021-02-01

Vulnerability identifier: #VU7119

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2017-7679

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
Apache HTTP Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to out-of-bounds read within the mod_mime when constructing Content-Type response header. A remote attacker read one byte pas the end of a buffer when sending a malicious Content-Type response header.

Mitigation
Update Apache HTTP server to version 2.2.34 or 2.4.26.

Vulnerable software versions

Apache HTTP Server: 2.2.0 - 2.4.25

Fixed software versions

CPE

cpe:2.3:a:apache_foundation:apache_http_server:2.2.2:*:*:*:*:*:*:*

External links
http://httpd.apache.org/security/vulnerabilities_22.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM API Connect

Multiple vulnerabilities in DELL Secure Connect Gateway Security

Multiple vulnerabilities in Tenable.sc

Red Hat update for Apache

Red Hat update for httpd

Gentoo update for Apache

Amazon Linux AMI update for httpd