Use-after-free error in apache2 (Alpine package)

Published: 2017-07-10

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2017-9789
CWE-ID	CWE-416
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	apache2 (Alpine package) Operating systems & Components / Operating system package or component
Vendor	Alpine Linux Development Team

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Use-after-free error

EUVDB-ID: #VU7518

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-9789

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the targeted system.

The weakness exists due to use-after-free condition in the mod_http2 function. A remote attacker can trigger memory corruption and cause the server to crash.

Successful exploitation of the vulnerability results in denial of service.

Mitigation

Install update from vendor's website.

Vulnerable software versions

apache2 (Alpine package): 2.4.26-r0

CPE2.3

cpe:2.3:o:alpine:apache2_alpine_package:2.4.26-r0:*:*:*:*:alpine_linux:*:3.2

External links

https://git.alpinelinux.org/aports/commit/?id=33c9b879e1ac2712ea308a9c9e642d83b54d690d
https://git.alpinelinux.org/aports/commit/?id=6b9a79f0701cb33053c40b36978e1774a9e90d8e
https://git.alpinelinux.org/aports/commit/?id=833fa41a4d6d73d87df385db7cb1effb9cadada5
https://git.alpinelinux.org/aports/commit/?id=c21717b071b1dcd50c33619ba3785fd9dfbb3640
https://git.alpinelinux.org/aports/commit/?id=c44d3bbc2aeb49f7b8d0b68adaaadeef824b4029

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.