Page 1 of 1

Apache CVE's

Posted: 2019/06/12 12:30:43
by LukeChatty
Hello
Currently running the following version of Apache HTTPd
httpd-2.4.6.89.el7-centos.x86_64

We have had a security scan which has identified the following vulnerabilities

Apache HTTPD: Weak Digest auth nonce generation in mod_auth_digest (CVE-2018-1312)
Apache HTTPD: Out of bound write in mod_authnz_ldap when using too small Accept-Language values (CVE-2017-15710)
Apache HTTPD: Possible out of bound read in mod_cache_socache (CVE-2018-1303)
Apache HTTPD: mod_session_cookie does not respect expiry time (CVE-2018-17199)

Are these currently in the build provided above? I can't see the CVE's in the change notes, but I can see they were patch on RedHat httpd24-httpd-2.4.34-7.el7

CVE Information:

https://access.redhat.com/security/cve/CVE-2018-1312 (Affected)
https://access.redhat.com/security/cve/CVE-2017-15710 (Affected)
https://access.redhat.com/security/cve/CVE-2018-1303 (Affected)
https://access.redhat.com/security/cve/CVE-2018-17199 (Affected)
Red Hat Security Advisories:

https://rhn.redhat.com/errata/RHSA-2018-3558.html
https://rhn.redhat.com/errata/RHSA-2018-3558.html
https://rhn.redhat.com/errata/RHSA-2018-3558.html

Re: Apache CVE's

Posted: 2019/06/12 12:59:59
by TrevorH
None of those appear to be fixed in the base version of httpd. 3 of those 4 are all marked as severity: Low so I am unsurprised that they are not fixed. The 4th one is Moderate but the affected module is not enabled by default.

Re: Apache CVE's

Posted: 2019/06/12 13:17:40
by LukeChatty
TrevorH wrote:
2019/06/12 12:59:59
None of those appear to be fixed in the base version of httpd. 3 of those 4 are all marked as severity: Low so I am unsurprised that they are not fixed. The 4th one is Moderate but the affected module is not enabled by default.
Even on the update version 89 they are not patched?

Our security scan has them has severity High.

Re: Apache CVE's

Posted: 2019/06/12 13:23:20
by TrevorH
Read the links you posted to the Redhat CVE pages, none of them are high.