Apache Patches Optionsbleed Flaw in HTTP Server

The Apache HTTP Web Server (commonly simply referred to as ‘Apache’) is the most widely deployed web server in the world, and until last week, it was at risk from a security vulnerability known as Optionsbleed.

The Optionsbleed vulnerability was first publicly disclosed by security researcher Hanno Bock on Sept 18, with Apache patching the issue in the httpd 2.4.28 web server release that debuted on Oct. 5.

The Options HTTP method is an Apache process that will provide requesters with information on what HTTP methods a given server supports.

“Optionsbleed is a use after free error in Apache HTTP that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests,” Bock wrote in a blog post. “This can leak pieces of arbitrary memory from the server process that may contain secrets.”

Bock added that the memory pieces change after multiple requests, so for a vulnerable host, an arbitrary number of memory chunks can potentially be leaked. Bock has also published proof of concept code on GitHub to allow organizations to test their systems to see if they are at risk. Bock’s own analysis indicated that at least 466 host in the Alexa top 1 million sites were potentially at risk.

Red Hat is among the many vendors that include HTTP 2.4.x with its operating system and categorized the issue as having moderate security impact.

“In order to be vulnerable, .htaccess files need to contain an invalid or not globally registered HTTP method in a ‘Limit’ directive,” Red Hat stated in a security advisory.

Mitigating the Optionsbleed issue with the .htaccess directive isn’t a comprehensive solution that will entirely limit risk.

“It is not possible to avoid this defect with untrusted/malicious .htaccess authors without disabling .htaccess files, patching or upgrading to version 2.4.28,” Apache developer William Rowe wrote in a mailing list message.

The patch in Apache HTTPD 2.2.28 provides a more robust answer to the Optionsbleed issue that the initial basic htaccess mitigation.

” must now be used in the main configuration file (httpd.conf) to register HTTP methods before the .htaccess files,” Apache’s change files for the 2.4.28 release states.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles