Apache httpd CVE-2017-9798 - "OptionsBleed"

On Monday 18 September 2017 Hanno Böck released details of a bug in Apache HTTP Server named "Optionsbleed". Details of the issue are on the Fuzzing Project blog, and there is currently no official Apache release (although your distribution may have patched the issue).

RedShield have evaluated this issue and determined that there's a low chance of it impacting our customers due to the unusual configuration required to trigger the issue. It requires the webserver to be using .htaccess files with Limit clauses for invalid / misconfigured HTTP verbs.

We have developed a Shield for this issue that blocks responses that expose server memory. As the issue is not widespread we will not deploy it across our entire customer base unless requested. Please get in touch with if you're running Apache HTTP Server and using .htaccess files with Limit clauses.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request