You are here
Optionsbleed Vulnerability
Last update on 19. September 2017 - 16:29.
Optionsbleed is a vulnerability in the Apache HTTP Server. An attacker may be able to read small memory chunks from the server using the HTTP OPTIONS method. Apache HTTP Server are vulnerable when using the configuration directive Limit together with an invalid HTTP method in a .htaccess file. All versions including 2.4.27 are affected. For further details see [1].
Airlock WAF is not affected, because .htaccess files are disabled. Airlock IAM is not affected since Apache HTTP Server is not used.
Airlock WAF protects vulnerable back-ends by default because the HTTP method OPTIONS is not allowed in the default configuration (see mapping / allow rules).
If you have to allow the OPTIONS HTTP method on Airlock WAF, for example because you want to allow Cross-Origin Resource Sharing (CORS), you can configure the following custom response action as a virtual patch on all mappings connected to a vulnerable back-end system to prevent exploitation of the vulnerability:
Add a new custom response action under <mapping> - "Response Actions" - "Custom Actions":
Name: Optionsbeed patch (CVE-2017-9798)
Action: Remove Header
Header Name Pattern:
^Allow$
CASE-Sensitivity = OFF, Invert = OFF
Header Value Pattern:
^\x{20}*+(?:[A-Z]{2,16})?\x{20}*+(?:,\x{20}*+(?:[A-Z]{2,16})?)*\x{20}*+$
CASE-Sensitivity = ON, Invert = ON