CVE-2017-3167: Critical severity Apple macOS High Sierra vulnerability

Q: What is CVE-2017-3167?

CVE-2017-3167 is a vulnerability in Apache httpd that allows bypassing authentication requirements.

Q: What is the severity of CVE-2017-3167?

The severity of CVE-2017-3167 is critical with a CVSS score of 9.8.

Q: How can I fix CVE-2017-3167?

To fix CVE-2017-3167, update Apache httpd to version 2.2.34 or 2.4.26 depending on the installed version.

Q: Is macOS High Sierra affected by CVE-2017-3167?

macOS High Sierra is affected by CVE-2017-3167 and should be updated to version 10.13.1 or higher to mitigate the vulnerability.

Q: Where can I find more information about CVE-2017-3167?

More information about CVE-2017-3167 can be found at the following references: [Link 1](https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4@%3Cdev.httpd.apache.org%3E), [Link 2](https://httpd.apache.org/security/vulnerabilities_24.html), [Link 3](https://httpd.apache.org/security/vulnerabilities_22.html).

Published Jun 20, 2017

Updated

apache. Multiple issues were addressed by updating to version 2.4.27.

Other sources

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the apgetbasicauthpw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

— MITRE

Use of the apgetbasicauthpw() in Apache httpd by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

References:

https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4@%3Cdev.httpd.apache.org%3E

External References:

https://httpd.apache.org/security/vulnerabilities24.html https://httpd.apache.org/security/vulnerabilities22.html

— Red Hat

Credit

CVE-2016-0736, CVE-2016-2161, CVE-2016-5387, CVE-2016-8740, CVE-2016-8743, CVE-2017-3167, CVE-2017-3169, CVE-2017-7659, CVE-2017-7668, CVE-2017-7679, CVE-2017-9788, CVE-2017-9789

Affected Software

43 affected componentsFixes available

redhat/httpd<2.2.34

2.2.34

redhat/httpd<2.4.26

2.4.26

Apple macOS High Sierra<10.13.1

10.13.1

Apple Sierra

Apple El Capitan

Apache HTTP Server>=2.2.0<2.2.33

Apache HTTP Server>=2.4.0<2.4.26

NetApp Clustered Data ONTAP

NetApp Oncommand Unified Manager 7-mode

NetApp Storagegrid

redhat Enterprise Linux Desktop=6.0

redhat Enterprise Linux Desktop=7.0

redhat Enterprise Linux Eus=6.7

redhat Enterprise Linux Eus=7.2

redhat Enterprise Linux Eus=7.3

redhat Enterprise Linux Eus=7.4

redhat Enterprise Linux Eus=7.5

redhat Enterprise Linux Eus=7.6

redhat Enterprise Linux Eus=7.7

redhat Enterprise Linux Server=6.0

redhat Enterprise Linux Server=7.0

redhat Enterprise Linux Server Aus=7.2

redhat Enterprise Linux Server Aus=7.3

redhat Enterprise Linux Server Aus=7.4

redhat Enterprise Linux Server Aus=7.6

redhat Enterprise Linux Server Aus=7.7

redhat Enterprise Linux Server Tus=7.2

redhat Enterprise Linux Server Tus=7.3

redhat Enterprise Linux Server Tus=7.4

redhat Enterprise Linux Server Tus=7.6

redhat Enterprise Linux Server Tus=7.7

redhat Enterprise Linux Workstation=6.0

redhat Enterprise Linux Workstation=7.0

redhat JBoss Core Services=1.0

redhat Enterprise Linux=6.0

redhat Enterprise Linux=7.0

Apple iOS and macOS<10.13.1

Debian Debian Linux=8.0

Debian Debian Linux=9.0

Oracle Secure Global Desktop=5.3

All of the following

redhat JBoss Core Services=1.0

Any of the following

redhat Enterprise Linux=6.0

redhat Enterprise Linux=7.0

Remediation

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Patch Available

https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4@%3Cdev.httpd.apache.org%3E

Event History

Jun 20, 2017

CVE Published

via MITRE·01:00 AM

Data Sourced

via MITRE·01:00 AM

DescriptionWeakness

Data Sourced

via NVD·01:29 AM

RemedyDescriptionSeverityWeaknessAffected Software

Data Sourced

via Red Hat·11:15 AM

DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

HT208221

Peer vulnerabilities

Found alongside the following vulnerabilities.

CVE-2016-0736
CVE-2016-2161
CVE-2016-5387
CVE-2016-8740
CVE-2016-8743
CVE-2017-3167
CVE-2017-3169
CVE-2017-7659
CVE-2017-7668
CVE-2017-7679
CVE-2017-9788
CVE-2017-9789
CVE-2017-13786
CVE-2017-13800
CVE-2017-13809
CVE-2017-13820
CVE-2017-13807
CVE-2017-13829
CVE-2017-13833
CVE-2017-13821
CVE-2017-13825
CVE-2017-1000100
CVE-2017-1000101
CVE-2017-13801
CVE-2017-13815
CVE-2017-13828
CVE-2017-13811
CVE-2017-13830
CVE-2017-11103
CVE-2017-13819
CVE-2017-13814
CVE-2017-13831
CVE-2017-13906
CVE-2017-13810
CVE-2017-13817
CVE-2017-13818
CVE-2017-13836
CVE-2017-13841
CVE-2017-13840
CVE-2017-13842
CVE-2017-13782
CVE-2017-13843
CVE-2017-13834
CVE-2017-13799
CVE-2017-13852
CVE-2017-13813
CVE-2017-13812
CVE-2016-4736
CVE-2017-5969
CVE-2017-5130
CVE-2017-7376
CVE-2017-9050
CVE-2017-9049
CVE-2018-4390
CVE-2018-4391
CVE-2017-13907
CVE-2017-13824
CVE-2017-13846
CVE-2017-10140
CVE-2017-13822
CVE-2017-7132
CVE-2017-13823
CVE-2017-13808
CVE-2017-13838
CVE-2017-7170
CVE-2017-7150
CVE-2017-13908
CVE-2017-13804
CVE-2017-11108
CVE-2017-11541
CVE-2017-11542
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725
CVE-2017-13077
CVE-2017-13078
CVE-2017-13080

Frequently Asked Questions

What is CVE-2017-3167?

CVE-2017-3167 is a vulnerability in Apache httpd that allows bypassing authentication requirements.

What is the severity of CVE-2017-3167?

The severity of CVE-2017-3167 is critical with a CVSS score of 9.8.

How can I fix CVE-2017-3167?

To fix CVE-2017-3167, update Apache httpd to version 2.2.34 or 2.4.26 depending on the installed version.

Is macOS High Sierra affected by CVE-2017-3167?

macOS High Sierra is affected by CVE-2017-3167 and should be updated to version 10.13.1 or higher to mitigate the vulnerability.

Where can I find more information about CVE-2017-3167?

More information about CVE-2017-3167 can be found at the following references: [Link 1](https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4@%3Cdev.httpd.apache.org%3E), [Link 2](https://httpd.apache.org/security/vulnerabilities_24.html), [Link 3](https://httpd.apache.org/security/vulnerabilities_22.html).

CVE-2017-3167: Critical severity Apple macOS High Sierra vulnerability

Other sources

Credit

Affected Software

Remediation

Patch Available

Patch Available

Event History

Parent advisories

Peer vulnerabilities

Don't miss critical vulnerabilities

Frequently Asked Questions

What is CVE-2017-3167?

What is the severity of CVE-2017-3167?

How can I fix CVE-2017-3167?

Is macOS High Sierra affected by CVE-2017-3167?

Where can I find more information about CVE-2017-3167?

Company

Resources

Contact