|CERT-In Vulnerability Note
Multiple Vulnerabilities in Apache HTTP server
Original Issue Date:July 14, 2017
Severity Rating: HIGH
- Apache HTTP Server 2.4.1 to 2.4.26
Multiple vulnerabilities have been reported in Apache HTTP Server, which could allow a remote attacker to cause Denial of Service (DoS) and access sensitive information on a targeted system.
1. Information Disclosure Vulnerability
This vulnerability exists in Apache HTTP server due to improper handling memory initialization in mod_auth_digest function. A remote attacker could exploit this vulnerability via "Digest" type specially crafted HTTP Connection header request to access sensitive information on a targeted system.
2. Use-After-Free Vulnerability
This vulnerability exists in Apache HTTP server due to a use-after-free condition in the mod_http2 component. A remote attacker could exploit this vulnerability to trigger a memory access error in "mod_http2.c" file while closing of multiple HTTP/2 connections.
Successful exploitation of this vulnerability could cause Denial of Service (DoS) conditions on targeted system.
Apply appropriate updates as mention in the following link:
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003