OptionsBleed - CVE-2017-9798
There is a new vulnerability that was discovered within Apache called OptionsBleed. The vulnerability has the ability to, if exploited, leak Apache’s server memory.
The quick way to test if your server/site is affected is to download the Python script and run it against your server/site. The script can be found on GitHub. The longer way to determine if your server/site is affected is below.
Is there a patch to apply for Apache under RHEL/CentOS?
As of September 21, 2017, there is not a patch. There are only mitigation steps. Apache is working on a patch, however.
Is the Apache version my server is running affected?
To check RHEL/CentOS servers, log into the server as the root user and run the following:
If the server reports either RHEL/CentOS 6 or RHEL/CentOS 7, you are affected. Additionally, RHEL 5 is affected but will not be fixed per Red Hat.
If the Apache version is affected, do any of the Apache configurations have the Limit directive in them? What are the mitigation steps for that?
To check this, log into the server as the root user and run the following:
This will provide a list of all of your sites on the server and their path. If the path is /etc/httpd/conf.d/*.conf, run the following command to determine if the Limit directive is used in any of the configuration files:
grep –i "Limit" /etc/httpd/conf.d/*.conf
Any configuration files returned are potentially affected and should be addressed. You will then need to make sure that each of these configurations is using valid HTTP methods. Any invalid HTTP methods should be deleted. The currently valid HTTP methods are as follow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE
What about .htaccess files with the Limit directive? What are the mitigation steps for that?
To find all of the .htaccess files on your server, run the following command:
This will update the location database on the server. Once this is done (you can check by running the jobs command and it will report ‘Done’ if so), you can then run the command below to find all instances of .htaccess:
Alternatively, you can run the following command if your websites are all in /var/www/:
find /var/www/ -name ".htaccess" –print
This will a list of all .htaccess files on the server. To check if any of the .htaccess files have the Limit directive in them, run the following command at the prompt:
find /var/www/ -name ".htaccess" | xargs grep "Limit"
You will then need to make sure that each of these files is using valid HTTP methods. Any invalid HTTP methods should be deleted. The currently valid HTTP methods are as follow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE.
Owner: Edge Hosting Security
Questions: 410-248-8800 Option 2, portal ticket, or firstname.lastname@example.org
Effective Date: September 21, 2017