Threat Alert! Optionbleed Vulnerability for Apache web servers
What is it?
This morning, a new vulnerability in the Apache Web Server called Optionbleed was publicly disclosed. This vulnerability allows for a remote attacker to potentially take control of an affected system, and to potentially gain access to sensitive information on the server. To give an idea of how widespread this is, security researchers have reported that a scan of the Alexa Top 1 Million websites revealed 466 hosts that were vulnerable.
Who should worry about this?
If you have a website that transmits or stores sensitive data this may be a concern for you. For example, if you run an ecommerce website, financial website, or accounting portal this is something to check that won't take too much effort. If your website is for marketing purposes only and doesn’t handle any sensitive information, this may be less of a concern.
If you administer your own server, please see the following technical details section for more.
If you host your website with a website vendor or hosting company, you can open a ticket to ask if your server is affected by this vulnerability. Whether you open a ticket or not, a reputable web host SHOULD be proactively addressing this issue already, but it cannot hurt to ask to be sure.
Technical Details
For the most accurate details, please reference the following source links:
- https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-9798
As these websites explain, review your htaccess files for potential errors with “Limit” directives and ensure that your Apache software is up to date with the latest security patches. In the first link, there is a section called “How can I test it?” that explains how you can verify that your server is not vulnerable to this issue.
Still worried?
NorthSky Technology’s Practical Security Program tests for this vulnerability plus hundreds of thousands of other vulnerabilities, exploits, and security holes. As part of our Security services, we assess and manage your information security in a way that balances budget, effective risk avoidance, and regulatory obligation. Contact us today to learn more!