ID CVE-2017-3169
Summary In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.26:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.26:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.27:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.27:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.19:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.31:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.31:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.16:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.21:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.14:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.24:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.24:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.25:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.25:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.30:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.30:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.22:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.25:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.32:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.32:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.29:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.29:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.17:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*
    cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 06-06-2021 - 11:15)
Impact:
Exploitability:
CWE CWE-476
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2017:2478
  • rhsa
    id RHSA-2017:2479
  • rhsa
    id RHSA-2017:2483
  • rhsa
    id RHSA-2017:3193
  • rhsa
    id RHSA-2017:3194
  • rhsa
    id RHSA-2017:3195
  • rhsa
    id RHSA-2017:3475
  • rhsa
    id RHSA-2017:3476
  • rhsa
    id RHSA-2017:3477
rpms
  • httpd-0:2.2.15-60.el6_9.5
  • httpd-debuginfo-0:2.2.15-60.el6_9.5
  • httpd-devel-0:2.2.15-60.el6_9.5
  • httpd-manual-0:2.2.15-60.el6_9.5
  • httpd-tools-0:2.2.15-60.el6_9.5
  • mod_ssl-1:2.2.15-60.el6_9.5
  • httpd-0:2.4.6-67.el7_4.2
  • httpd-debuginfo-0:2.4.6-67.el7_4.2
  • httpd-devel-0:2.4.6-67.el7_4.2
  • httpd-manual-0:2.4.6-67.el7_4.2
  • httpd-tools-0:2.4.6-67.el7_4.2
  • mod_ldap-0:2.4.6-67.el7_4.2
  • mod_proxy_html-1:2.4.6-67.el7_4.2
  • mod_session-0:2.4.6-67.el7_4.2
  • mod_ssl-1:2.4.6-67.el7_4.2
  • httpd24-httpd-0:2.4.25-9.el6.1
  • httpd24-httpd-0:2.4.25-9.el7.1
  • httpd24-httpd-debuginfo-0:2.4.25-9.el6.1
  • httpd24-httpd-debuginfo-0:2.4.25-9.el7.1
  • httpd24-httpd-devel-0:2.4.25-9.el6.1
  • httpd24-httpd-devel-0:2.4.25-9.el7.1
  • httpd24-httpd-manual-0:2.4.25-9.el6.1
  • httpd24-httpd-manual-0:2.4.25-9.el7.1
  • httpd24-httpd-tools-0:2.4.25-9.el6.1
  • httpd24-httpd-tools-0:2.4.25-9.el7.1
  • httpd24-mod_ldap-0:2.4.25-9.el6.1
  • httpd24-mod_ldap-0:2.4.25-9.el7.1
  • httpd24-mod_proxy_html-1:2.4.25-9.el6.1
  • httpd24-mod_proxy_html-1:2.4.25-9.el7.1
  • httpd24-mod_session-0:2.4.25-9.el6.1
  • httpd24-mod_session-0:2.4.25-9.el7.1
  • httpd24-mod_ssl-1:2.4.25-9.el6.1
  • httpd24-mod_ssl-1:2.4.25-9.el7.1
  • httpd-0:2.4.6-40.el7_2.6
  • httpd-debuginfo-0:2.4.6-40.el7_2.6
  • httpd-devel-0:2.4.6-40.el7_2.6
  • httpd-manual-0:2.4.6-40.el7_2.6
  • httpd-tools-0:2.4.6-40.el7_2.6
  • mod_ldap-0:2.4.6-40.el7_2.6
  • mod_proxy_html-1:2.4.6-40.el7_2.6
  • mod_session-0:2.4.6-40.el7_2.6
  • mod_ssl-1:2.4.6-40.el7_2.6
  • httpd-0:2.4.6-45.el7_3.5
  • httpd-debuginfo-0:2.4.6-45.el7_3.5
  • httpd-devel-0:2.4.6-45.el7_3.5
  • httpd-manual-0:2.4.6-45.el7_3.5
  • httpd-tools-0:2.4.6-45.el7_3.5
  • mod_ldap-0:2.4.6-45.el7_3.5
  • mod_proxy_html-1:2.4.6-45.el7_3.5
  • mod_session-0:2.4.6-45.el7_3.5
  • mod_ssl-1:2.4.6-45.el7_3.5
  • httpd-0:2.2.15-47.el6_7.5
  • httpd-debuginfo-0:2.2.15-47.el6_7.5
  • httpd-devel-0:2.2.15-47.el6_7.5
  • httpd-manual-0:2.2.15-47.el6_7.5
  • httpd-tools-0:2.2.15-47.el6_7.5
  • mod_ssl-1:2.2.15-47.el6_7.5
  • jbcs-httpd24-httpd-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-debuginfo-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-devel-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-libs-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-manual-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-selinux-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-tools-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-mod_bmx-0:0.9.6-15.GA.jbcs.el7
  • jbcs-httpd24-mod_bmx-debuginfo-0:0.9.6-15.GA.jbcs.el7
  • jbcs-httpd24-mod_cluster-native-0:1.3.8-1.Final_redhat_1.jbcs.el7
  • jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.8-1.Final_redhat_1.jbcs.el7
  • jbcs-httpd24-mod_ldap-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-mod_proxy_html-1:2.4.23-125.jbcs.el7
  • jbcs-httpd24-mod_session-0:2.4.23-125.jbcs.el7
  • jbcs-httpd24-mod_ssl-1:2.4.23-125.jbcs.el7
  • jbcs-httpd24-httpd-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-debuginfo-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-devel-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-libs-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-manual-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-selinux-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-httpd-tools-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-mod_bmx-0:0.9.6-15.GA.jbcs.el6
  • jbcs-httpd24-mod_bmx-debuginfo-0:0.9.6-15.GA.jbcs.el6
  • jbcs-httpd24-mod_cluster-native-0:1.3.8-1.Final_redhat_1.jbcs.el6
  • jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.8-1.Final_redhat_1.jbcs.el6
  • jbcs-httpd24-mod_ldap-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-mod_proxy_html-1:2.4.23-125.jbcs.el6
  • jbcs-httpd24-mod_session-0:2.4.23-125.jbcs.el6
  • jbcs-httpd24-mod_ssl-1:2.4.23-125.jbcs.el6
refmap via4
bid 99134
confirm
debian DSA-3896
gentoo GLSA-201710-32
misc https://github.com/gottburgm/Exploits/tree/master/CVE-2017-3169
mlist
  • [dev] 20170619 CVE-2017-3169: mod_ssl null pointer dereference
  • [httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
  • [httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
sectrack 1038711
Last major update 06-06-2021 - 11:15
Published 20-06-2017 - 01:29
Last modified 06-06-2021 - 11:15
Back to Top