CVE-2017-15710 - In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configur

CVE-2017-15710

Summary

In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces an out of bound write of one NUL byte to a memory location that is not part of the string. In the worst case, quite unlikely, the process would crash which could be used as a Denial of Service attack. In the more likely case, this memory is already reserved for future use and the issue has no effect at all.

References

Vulnerable Configurations

cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:storagegrid:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 06-06-2021 - 11:15)
Impact:
Exploitability:

CWE

CWE-787

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

redhat via4

advisories

rhsa
id RHSA-2018:3558
rhsa
id RHSA-2019:0366
rhsa
id RHSA-2019:0367

rpms

httpd24-curl-0:7.61.1-1.el6
httpd24-curl-0:7.61.1-1.el7
httpd24-curl-debuginfo-0:7.61.1-1.el6
httpd24-curl-debuginfo-0:7.61.1-1.el7
httpd24-httpd-0:2.4.34-7.el6
httpd24-httpd-0:2.4.34-7.el7
httpd24-httpd-debuginfo-0:2.4.34-7.el6
httpd24-httpd-debuginfo-0:2.4.34-7.el7
httpd24-httpd-devel-0:2.4.34-7.el6
httpd24-httpd-devel-0:2.4.34-7.el7
httpd24-httpd-manual-0:2.4.34-7.el6
httpd24-httpd-manual-0:2.4.34-7.el7
httpd24-httpd-tools-0:2.4.34-7.el6
httpd24-httpd-tools-0:2.4.34-7.el7
httpd24-libcurl-0:7.61.1-1.el6
httpd24-libcurl-0:7.61.1-1.el7
httpd24-libcurl-devel-0:7.61.1-1.el6
httpd24-libcurl-devel-0:7.61.1-1.el7
httpd24-libnghttp2-0:1.7.1-7.el6
httpd24-libnghttp2-0:1.7.1-7.el7
httpd24-libnghttp2-devel-0:1.7.1-7.el6
httpd24-libnghttp2-devel-0:1.7.1-7.el7
httpd24-mod_ldap-0:2.4.34-7.el6
httpd24-mod_ldap-0:2.4.34-7.el7
httpd24-mod_md-0:2.4.34-7.el7
httpd24-mod_proxy_html-1:2.4.34-7.el6
httpd24-mod_proxy_html-1:2.4.34-7.el7
httpd24-mod_session-0:2.4.34-7.el6
httpd24-mod_session-0:2.4.34-7.el7
httpd24-mod_ssl-1:2.4.34-7.el6
httpd24-mod_ssl-1:2.4.34-7.el7
httpd24-nghttp2-0:1.7.1-7.el6
httpd24-nghttp2-0:1.7.1-7.el7
httpd24-nghttp2-debuginfo-0:1.7.1-7.el6
httpd24-nghttp2-debuginfo-0:1.7.1-7.el7
jbcs-httpd24-0:1-6.jbcs.el6
jbcs-httpd24-0:1-6.jbcs.el7
jbcs-httpd24-apache-commons-daemon-jsvc-1:1.1.0-3.redhat_2.jbcs.el6
jbcs-httpd24-apache-commons-daemon-jsvc-1:1.1.0-3.redhat_2.jbcs.el7
jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.1.0-3.redhat_2.jbcs.el6
jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.1.0-3.redhat_2.jbcs.el7
jbcs-httpd24-apr-0:1.6.3-31.jbcs.el6
jbcs-httpd24-apr-0:1.6.3-31.jbcs.el7
jbcs-httpd24-apr-debuginfo-0:1.6.3-31.jbcs.el6
jbcs-httpd24-apr-debuginfo-0:1.6.3-31.jbcs.el7
jbcs-httpd24-apr-devel-0:1.6.3-31.jbcs.el6
jbcs-httpd24-apr-devel-0:1.6.3-31.jbcs.el7
jbcs-httpd24-apr-util-0:1.6.1-24.jbcs.el6
jbcs-httpd24-apr-util-0:1.6.1-24.jbcs.el7
jbcs-httpd24-apr-util-debuginfo-0:1.6.1-24.jbcs.el6
jbcs-httpd24-apr-util-debuginfo-0:1.6.1-24.jbcs.el7
jbcs-httpd24-apr-util-devel-0:1.6.1-24.jbcs.el6
jbcs-httpd24-apr-util-devel-0:1.6.1-24.jbcs.el7
jbcs-httpd24-apr-util-ldap-0:1.6.1-24.jbcs.el6
jbcs-httpd24-apr-util-ldap-0:1.6.1-24.jbcs.el7
jbcs-httpd24-apr-util-mysql-0:1.6.1-24.jbcs.el6
jbcs-httpd24-apr-util-mysql-0:1.6.1-24.jbcs.el7
jbcs-httpd24-apr-util-nss-0:1.6.1-24.jbcs.el6
jbcs-httpd24-apr-util-nss-0:1.6.1-24.jbcs.el7
jbcs-httpd24-apr-util-odbc-0:1.6.1-24.jbcs.el6
jbcs-httpd24-apr-util-odbc-0:1.6.1-24.jbcs.el7
jbcs-httpd24-apr-util-openssl-0:1.6.1-24.jbcs.el6
jbcs-httpd24-apr-util-openssl-0:1.6.1-24.jbcs.el7
jbcs-httpd24-apr-util-pgsql-0:1.6.1-24.jbcs.el6
jbcs-httpd24-apr-util-pgsql-0:1.6.1-24.jbcs.el7
jbcs-httpd24-apr-util-sqlite-0:1.6.1-24.jbcs.el6
jbcs-httpd24-apr-util-sqlite-0:1.6.1-24.jbcs.el7
jbcs-httpd24-httpd-0:2.4.29-35.jbcs.el6
jbcs-httpd24-httpd-0:2.4.29-35.jbcs.el7
jbcs-httpd24-httpd-debuginfo-0:2.4.29-35.jbcs.el6
jbcs-httpd24-httpd-debuginfo-0:2.4.29-35.jbcs.el7
jbcs-httpd24-httpd-devel-0:2.4.29-35.jbcs.el6
jbcs-httpd24-httpd-devel-0:2.4.29-35.jbcs.el7
jbcs-httpd24-httpd-manual-0:2.4.29-35.jbcs.el6
jbcs-httpd24-httpd-manual-0:2.4.29-35.jbcs.el7
jbcs-httpd24-httpd-selinux-0:2.4.29-35.jbcs.el6
jbcs-httpd24-httpd-selinux-0:2.4.29-35.jbcs.el7
jbcs-httpd24-httpd-tools-0:2.4.29-35.jbcs.el6
jbcs-httpd24-httpd-tools-0:2.4.29-35.jbcs.el7
jbcs-httpd24-mod_cluster-native-0:1.3.8-3.Final_redhat_2.jbcs.el6
jbcs-httpd24-mod_cluster-native-0:1.3.8-3.Final_redhat_2.jbcs.el7
jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.8-3.Final_redhat_2.jbcs.el6
jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.8-3.Final_redhat_2.jbcs.el7
jbcs-httpd24-mod_jk-ap24-0:1.2.46-1.redhat_1.jbcs.el6
jbcs-httpd24-mod_jk-ap24-0:1.2.46-1.redhat_1.jbcs.el7
jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-1.redhat_1.jbcs.el6
jbcs-httpd24-mod_jk-debuginfo-0:1.2.46-1.redhat_1.jbcs.el7
jbcs-httpd24-mod_jk-manual-0:1.2.46-1.redhat_1.jbcs.el6
jbcs-httpd24-mod_jk-manual-0:1.2.46-1.redhat_1.jbcs.el7
jbcs-httpd24-mod_ldap-0:2.4.29-35.jbcs.el6
jbcs-httpd24-mod_ldap-0:2.4.29-35.jbcs.el7
jbcs-httpd24-mod_proxy_html-1:2.4.29-35.jbcs.el6
jbcs-httpd24-mod_proxy_html-1:2.4.29-35.jbcs.el7
jbcs-httpd24-mod_session-0:2.4.29-35.jbcs.el6
jbcs-httpd24-mod_session-0:2.4.29-35.jbcs.el7
jbcs-httpd24-mod_ssl-1:2.4.29-35.jbcs.el6
jbcs-httpd24-mod_ssl-1:2.4.29-35.jbcs.el7
jbcs-httpd24-nghttp2-0:1.29.0-9.jbcs.el6
jbcs-httpd24-nghttp2-0:1.29.0-9.jbcs.el7
jbcs-httpd24-nghttp2-debuginfo-0:1.29.0-9.jbcs.el6
jbcs-httpd24-nghttp2-debuginfo-0:1.29.0-9.jbcs.el7
jbcs-httpd24-nghttp2-devel-0:1.29.0-9.jbcs.el6
jbcs-httpd24-nghttp2-devel-0:1.29.0-9.jbcs.el7
jbcs-httpd24-openssl-1:1.0.2n-14.jbcs.el6
jbcs-httpd24-openssl-1:1.0.2n-14.jbcs.el7
jbcs-httpd24-openssl-debuginfo-1:1.0.2n-14.jbcs.el6
jbcs-httpd24-openssl-debuginfo-1:1.0.2n-14.jbcs.el7
jbcs-httpd24-openssl-devel-1:1.0.2n-14.jbcs.el6
jbcs-httpd24-openssl-devel-1:1.0.2n-14.jbcs.el7
jbcs-httpd24-openssl-libs-1:1.0.2n-14.jbcs.el6
jbcs-httpd24-openssl-libs-1:1.0.2n-14.jbcs.el7
jbcs-httpd24-openssl-perl-1:1.0.2n-14.jbcs.el6
jbcs-httpd24-openssl-perl-1:1.0.2n-14.jbcs.el7
jbcs-httpd24-openssl-static-1:1.0.2n-14.jbcs.el6
jbcs-httpd24-openssl-static-1:1.0.2n-14.jbcs.el7
jbcs-httpd24-runtime-0:1-6.jbcs.el6
jbcs-httpd24-runtime-0:1-6.jbcs.el7
httpd-0:2.4.6-93.el7
httpd-debuginfo-0:2.4.6-93.el7
httpd-devel-0:2.4.6-93.el7
httpd-manual-0:2.4.6-93.el7
httpd-tools-0:2.4.6-93.el7
mod_ldap-0:2.4.6-93.el7
mod_proxy_html-1:2.4.6-93.el7
mod_session-0:2.4.6-93.el7
mod_ssl-1:2.4.6-93.el7

refmap via4

bid	103512
confirm	https://httpd.apache.org/security/vulnerabilities_24.html https://security.netapp.com/advisory/ntap-20180601-0004/ https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us https://www.tenable.com/security/tns-2019-09
debian	DSA-4164
mlist	[debian-lts-announce] 20180530 [SECURITY] [DLA 1389-1] apache2 security update [httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [oss-security] 20180323 CVE-2017-15710: Out of bound write in mod_authnz_ldap when using too small Accept-Language values
sectrack	1040569
ubuntu	USN-3627-1 USN-3627-2 USN-3937-2

Last major update

06-06-2021 - 11:15

Published

26-03-2018 - 15:29

Last modified

06-06-2021 - 11:15