#VU91 Client certificate authentication bypass in Apache HTTP Server and Oracle Enterprise Manager Ops Center - CVE-2016-4979
Vulnerability identifier: #VU91
Vulnerability risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-4979
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Apache HTTP Server
Server applications /
Web servers
Oracle Enterprise Manager Ops Center
Server applications /
Remote management servers, RDP, SSH
Vendor:
Apache Foundation
Oracle
Description
The vulnerability allows a remote attacker to bypass client certificate authentication.
The vulnerability exists due to HTTP/2 certificate validation error. A remote unauthenticated attacker can bypass client certificate authentication and access web resources on the target system.
Systems using the mod_http2 module with activated h2 and h2c protocols in configuration are affected.
Successful exploitation of this vulnerability may result unauthorized access to resources on the web server.
Mitigation
Install the latest version of Apache HTTP Server 2.4.23, which resolves this vulnerability.
Vulnerable software versions
Apache HTTP Server: 2.4.17 - 2.4.20
Apache HTTP Server:
: 11.3
Oracle Enterprise Manager Ops Center: 12.1.4 - 12.3.2
External links
https://www.apache.org/dist/httpd/CHANGES_2.4.23
https://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
