You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jacob Champion <jc...@apache.org> on 2017/06/19 22:08:52 UTC
CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25
Description:
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
Mitigation:
2.2.x users should either apply the patch available at
https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
or upgrade in the future to 2.2.33, which is currently unreleased.
2.4.x users should upgrade to 2.4.26.
Third-party module writers SHOULD use ap_get_basic_auth_components(),
available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
Modules which call the legacy ap_get_basic_auth_pw() during the
authentication phase MUST either immediately authenticate the user after
the call, or else stop the request immediately with an error response,
to avoid incorrectly authenticating the current request.
Credit:
The Apache HTTP Server security team would like to thank Emmanuel
Dreyfus for reporting this issue.
References:
https://httpd.apache.org/security_report.html
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Mon, Jun 19, 2017 at 5:49 PM, Jacob Champion <ch...@gmail.com> wrote:
> On 06/19/2017 03:44 PM, William A Rowe Jr wrote:
>>
>> None at all, I have moderation and will push it on.
>
> They are on their way over to you. Thanks for the suggestion.
... and moderated. Thanks!
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
Posted by Jacob Champion <ch...@gmail.com>.
On 06/19/2017 03:44 PM, William A Rowe Jr wrote:
> None at all, I have moderation and will push it on.
They are on their way over to you. Thanks for the suggestion.
--Jacob
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Mon, Jun 19, 2017 at 5:41 PM, Jacob Champion <ch...@gmail.com> wrote:
> On 06/19/2017 03:35 PM, William A Rowe Jr wrote:
>>
>> Not to announce@httpd? users@ and dev@ aren't particularly
>> broadcast channels.
>>
>> announce@a.o might be too wide an audience, but that's why
>> we document the CVE's with short notes in the foundation-wide
>> release announcement. At least, used to document them.
>
>
> I was following Jim's lead on the first CVE announcement. I'm not opposed to
> a [SECURITY] announcement for all five; just timid. :)
>
> Any opposed to me copying all five to announce@httpd?
None at all, I have moderation and will push it on.
Just FYI you must always send-from your @apache.org identity
when pushing mail to any announce@ list, because all other posts
are pre-filtered before moderation.
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
Posted by Jacob Champion <ch...@gmail.com>.
On 06/19/2017 03:35 PM, William A Rowe Jr wrote:
> Not to announce@httpd? users@ and dev@ aren't particularly
> broadcast channels.
>
> announce@a.o might be too wide an audience, but that's why
> we document the CVE's with short notes in the foundation-wide
> release announcement. At least, used to document them.
I was following Jim's lead on the first CVE announcement. I'm not
opposed to a [SECURITY] announcement for all five; just timid. :)
Any opposed to me copying all five to announce@httpd?
--Jacob
Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
Not to announce@httpd? users@ and dev@ aren't particularly
broadcast channels.
announce@a.o might be too wide an audience, but that's why
we document the CVE's with short notes in the foundation-wide
release announcement. At least, used to document them.
On Mon, Jun 19, 2017 at 5:08 PM, Jacob Champion <jc...@apache.org> wrote:
> CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> httpd 2.2.0 to 2.2.32
> httpd 2.4.0 to 2.4.25
>
> Description:
> Use of the ap_get_basic_auth_pw() by third-party modules outside of the
> authentication phase may lead to authentication requirements being
> bypassed.
>
> Mitigation:
> 2.2.x users should either apply the patch available at
> https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
> or upgrade in the future to 2.2.33, which is currently unreleased.
>
> 2.4.x users should upgrade to 2.4.26.
>
> Third-party module writers SHOULD use ap_get_basic_auth_components(),
> available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
> Modules which call the legacy ap_get_basic_auth_pw() during the
> authentication phase MUST either immediately authenticate the user after
> the call, or else stop the request immediately with an error response,
> to avoid incorrectly authenticating the current request.
>
> Credit:
> The Apache HTTP Server security team would like to thank Emmanuel
> Dreyfus for reporting this issue.
>
> References:
> https://httpd.apache.org/security_report.html