-
Title
Current DR Apache HTTPD Version has Multiple Vulnerabilities Listed for it. -
Description
Our security team has flagged the version of Apache that is running on the DR4300 is out of date and has multiple vulnerabilities listed for it. What is the ETA on having security updates available for the 4300? -
Resolution
After consulting with R&D there is a plan to address the security concerns indicated, we are waiting for patching from the main distro makers. See table below for a quick review:
Once there are patches provided we should begin the process of implementing in the software.CVE
Quick Description
State of patch
Response
Recommend fixing
CVE-2017-3167
Authentication bypass, low complexity to implement
No patch from redhat
We use centos modules, unsure if ap_get_basic_Auth_pw() is leveraged.
Yes when available
CVE-2017-3169
DoS potentially, low complexity to implement, event cent/rhel 7 effected
No patch from redhat or centos
N/A
Yes when available
CVE-2017-7668
DoS potentially, potential buffer overread, low complexity to implement
Patch available
Does not affect RHEL 5 and 6 https://access.redhat.com/security/cve/cve-2017-7668
Unneeded
CVE-2017-7679
DoS potentially, potential buffer overread, low complexity to implement
No patch from redhat
N/A
Yes, when available
CVE-2017-9788
Buffer overread on potentially sensitive info, low complexity to implement
No patch available
We use digest authentication which this effects
Yes when available