CVE-2017-9798: Use After Free

Published Sep 11, 2017
·
Updated

A use-after free vulnerability was found in apache httpd. There's an apache configuration directive <Limit> that can be used to restrict access to certain HTTP methods. If one sets this inside an .htaccess file with an HTTP method that's not registered in the server the bug happens (e.g. set <Limit INVALID></Limit> in .htaccess). The reason is that at that point the variables used to build up the "Allow" header have already been freed, as it's not expecting any more changes to it.

Note that the bug only appears with OPTIONS requests to a specific path, not with "" OPTIONS requests.

An attacker on a shared hosting could could deliberately create an .htaccess file triggering the bug and subsequently try to exfiltrate data pieces from the global apache process that may contain secrets like password hashes.

Upstream patch:

https://svn.apache.org/viewvc?view=revision&revision=1807754

Other sources

A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash.

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the aplimitsection function in server/core.c.

apache. Multiple issues were addressed by updating to version 2.4.28.

Credit

Hanno Böck

Affected Software

49 affected componentsFixes available
redhat/jbcs-httpd24-httpd<0:2.4.23-125.jbcs.el6
0:2.4.23-125.jbcs.el6
redhat/jbcs-httpd24-httpd<0:2.4.23-125.jbcs.el7
0:2.4.23-125.jbcs.el7
redhat/httpd<0:2.2.15-60.el6_9.6
0:2.2.15-60.el6_9.6
redhat/httpd<0:2.2.15-47.el6_7.5
0:2.2.15-47.el6_7.5
redhat/httpd<0:2.4.6-67.el7_4.5
0:2.4.6-67.el7_4.5
redhat/httpd<0:2.4.6-40.el7_2.6
0:2.4.6-40.el7_2.6
redhat/httpd<0:2.4.6-45.el7_3.5
0:2.4.6-45.el7_3.5
redhat/httpd<0:2.2.26-57.ep6.el6
0:2.2.26-57.ep6.el6
redhat/jbcs-httpd24-openssl<1:1.0.2h-14.jbcs.el6
1:1.0.2h-14.jbcs.el6
redhat/httpd22<0:2.2.26-58.ep6.el7
0:2.2.26-58.ep6.el7
redhat/jbcs-httpd24-openssl<1:1.0.2h-14.jbcs.el7
1:1.0.2h-14.jbcs.el7
redhat/tomcat6<0:6.0.41-19_patch_04.ep6.el6
0:6.0.41-19_patch_04.ep6.el6
redhat/tomcat7<0:7.0.54-28_patch_05.ep6.el6
0:7.0.54-28_patch_05.ep6.el6
redhat/tomcat6<0:6.0.41-19_patch_04.ep6.el7
0:6.0.41-19_patch_04.ep6.el7
redhat/tomcat7<0:7.0.54-28_patch_05.ep6.el7
0:7.0.54-28_patch_05.ep6.el7
redhat/httpd24<0:1.1-18.el6
0:1.1-18.el6
redhat/httpd24-httpd<0:2.4.27-8.el6
0:2.4.27-8.el6
redhat/httpd24<0:1.1-18.el7
0:1.1-18.el7
redhat/httpd24-curl<0:7.47.1-4.el7
0:7.47.1-4.el7
redhat/httpd24-httpd<0:2.4.27-8.el7
0:2.4.27-8.el7
redhat/httpd24-nghttp2<0:1.7.1-6.el7
0:1.7.1-6.el7
redhat/httpd<2.4.28
2.4.28
redhat/httpd<2.2.35
2.2.35
Apple macOS High Sierra<10.13.2
10.13.2
Apple Sierra
Apple El Capitan
Apache HTTP Server<=2.2.34
Apache HTTP Server=2.4.0
Apache HTTP Server=2.4.1
Apache HTTP Server=2.4.2
Apache HTTP Server=2.4.3
Apache HTTP Server=2.4.4
Apache HTTP Server=2.4.6
Apache HTTP Server=2.4.7
Apache HTTP Server=2.4.9
Apache HTTP Server=2.4.10
Apache HTTP Server=2.4.12
Apache HTTP Server=2.4.16
Apache HTTP Server=2.4.17
Apache HTTP Server=2.4.18
Apache HTTP Server=2.4.20
Apache HTTP Server=2.4.23
Apache HTTP Server=2.4.25
Apache HTTP Server=2.4.26
Apache HTTP Server=2.4.27
Debian Debian Linux=7.0
Debian Debian Linux=8.0
Debian Debian Linux=9.0
debian/apache2
2.4.62-1~deb11u12.4.65-1~deb11u12.4.65-1~deb12u12.4.62-1~deb12u22.4.65-22.4.65-3

Remediation

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Patch Available

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Patch Available

https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch

Patch Available

https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67a

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch Available

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Information

This issue can be mitigated by configuring httpd to disallow the use of the "Limit" configuration directive in .htaccess files. The set of directives that can be used in .htaccess files is configured using the "AllowOverride" directive. Refer to Red Hat Bugzilla bug 1490344 for further details: https://bugzilla.redhat.com/show_bug.cgi?id=1490344#c18

Event History

Sep 11, 2017
Data Sourced
via Red Hat·11:46 AM
DescriptionSeverityAffected Software
Sep 18, 2017
CVE Published
12:00 AM
CVE Published
via MITRE·03:00 PM
Data Sourced
via MITRE·03:00 PM
DescriptionWeakness
Data Sourced
via NVD·03:29 PM
RemedyDescriptionSeverityWeaknessAffected Software
Nov 4, 2025
Data Sourced
via Debian·04:15 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2017-9798?

The severity of CVE-2017-9798 is high with a score of 7.5.

2

How can an attacker exploit CVE-2017-9798?

An attacker can exploit CVE-2017-9798 by sending a specially crafted request that triggers an information leak from the server's memory.

3

Which versions of Apache httpd are affected by CVE-2017-9798?

The Apache HTTP Server versions through 2.2.34 and 2.4.x through 2.4.27 are affected by CVE-2017-9798.

4

What is Optionsbleed?

Optionsbleed is a vulnerability in Apache httpd that allows remote attackers to read secret data from process memory.

5

How can I mitigate CVE-2017-9798?

To mitigate CVE-2017-9798, update Apache httpd to version 2.4.28 or apply the appropriate patch provided by the vendor.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203