BSA-2017-497

Brocade Security Advisory ID

BSA-2017-497

Initial Publication Date

12/11/2017

Last Updated

12/29/2017

Revision

1.0: Final

Risk Impact

Medium

Workaround

N/A

Component

Apache HTTPD

Affected CVE

CVE-2015-0253

CVSS Score

5.0

Summary
The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI.

Products Confirmed Not Vulnerable
No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by this vulnerability.

Revision History

Version

Change

Date

1.0

Initial Publication

Dec 29, 2017

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.