There’s a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed.
The vulnerability can be triggered by querying a server with what’s known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.
The best-known vulnerability to leak potentially serious server memory was the Heartbleed bug located in the widely used OpenSSL cryptography library. Within hours of Heartbleed’s disclosure in April 2014, attackers were exploiting it to obtain passwords belonging to users of Yahoo, Ars, and other sites. Heartbleed could also be exploited to bleed websites’ private encryption keys and to hack networks with multifactor authentication.
Optionsbleed, by contrast, doesn’t pose as big a threat, but its effects can still be damaging. The risk is highest for server hosts that allow more than one customer to share a single machine. That’s because Optionsbleed allows customers to exploit the flaw in a way that exposes secret data from other customers’ hosts on the same system. On the Internet at large, the threat is less serious. A recent scan by Hanno Böck, the freelance journalist who documented the bug on Monday, found that only 466 sites in the Alexa Top 1 Million were vulnerable. What’s more, Optionsbleed leaks smaller chunks of memory than was the case with Heartbleed.
Optionsbleed is a use-after-free bug that’s the result of certain types of configurations that restrict the HTTP methods a site will support. When the Limit directive is inapplicable—either because of a typo or because it bars use of a method that’s already not allowed—the bug is created. It can then be exploited by sending an OPTIONS request to the site. Organizations that rely on Apache should install the patch soon, especially if they’re part of a shared hosting service.
Interestingly, the bug was first identified in 2014. Why it’s only now being patched is unclear.