You are here

Optionsbleed Vulnerability

IDs: 
CVE-2017-9798
Keywords: 
Apache, httpd, optionsbleed
Description: 

Optionsbleed is a vulnerability in the Apache HTTP Server. An attacker may be able to read small memory chunks from the server using the HTTP OPTIONS method. Apache HTTP Server are vulnerable when using the configuration directive Limit together with an invalid HTTP method in a .htaccess file. All versions including 2.4.27 are affected. For further details see [1].

Airlock WAF is not affected, because .htaccess files are disabled. Airlock IAM is not affected since Apache HTTP Server is not used.

Resolution: 

Airlock WAF protects vulnerable back-ends by default because the HTTP method OPTIONS is not allowed in the default configuration (see mapping / allow rules).

If you have to allow the OPTIONS HTTP method on Airlock WAF, for example because you want to allow Cross-Origin Resource Sharing (CORS), you can configure the following custom response action as a virtual patch on all mappings connected to a vulnerable back-end system to prevent exploitation of the vulnerability:

Add a new custom response action under <mapping> - "Response Actions" - "Custom Actions":

Name: Optionsbeed patch (CVE-2017-9798)
Action: Remove Header
Header Name Pattern:

^Allow$

CASE-Sensitivity = OFF, Invert = OFF

Header Value Pattern:

^\x{20}*+(?:[A-Z]{2,16})?\x{20}*+(?:,\x{20}*+(?:[A-Z]{2,16})?)*\x{20}*+$

CASE-Sensitivity = ON, Invert = ON

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock