A vulnerability in the Apache Web Server causes server memory leaks, which could potentially expose passwords and other secret data. Dubbed Optionsbleed, the vulnerability appears to be similar to other bugs that leak server memory, including Heartbleed, which was exploited by hackers to steal passwords from Yahoo and other sites.
Optionsbleed was disclosed by a researcher – Hanno Bock. The vulnerability could be exploited by hackers by using the HTTP options request. This would allow attackers to determine which HTTP requests are supported by the server. Under certain conditions, data stored in the computer memory could also be exposed.
Fortunately, Apache has patched the vulnerability. According to Yann Ylavic, member of the Apache HTTP Server Project Management Committee, the risk of leaks is limited as affected configurations also see only a few bytes of data leaking. Ylavic told Threatpost that there is no indication yet of any sensitive data having been disclosed.
The fix has been committed to our repository ('upstream') and will be in a new numbered release shortly," Ylavic said. "Many of our users rely on a third party for their builds and maintenance, commonly Linux distribution vendors."
"The vast majority of systems are not running an affected configuration, and causing the configuration to be affected requires write access to the configuration. In some shared environments, one user with write access could cause the configuration to be affected without the knowledge of other users," Ylavic added. "This can be mitigated already on unpatched systems, by setting some directives in the main configuration which is not writable by users (default configurations are not affected)."
According to Jeff Williams, co-founder and CTO Contrast Security, any attempts by hackers to exploit the flaw would be easy to spot and block.
"It looks like only small bits of this information are leaked. So it would be extremely difficult to get something useful," Williams said. "Second, only 400-some servers are affected out of the top 1m. That dramatically reduces the attack options. They came up with a great name, OptionsBleed. And it's theoretically interesting. But not much danger to you and me. Upgrade your server and get on with life."