JEDtech

FileMaker Server 15.0.3 with Apache 2.4.23 Multiple Vulnerabilities

Discussion created by JEDtech on Mar 9, 2017
Latest reply on Apr 4, 2017 by JEDtech

FileMaker Server 15.0.3 with Web Publishing enabled on Mac installs Apache version 2.4.23 on macOS Sierra.  This version of Apache has multiple known vulnerabilities.  An update is needed to get Apache to 2.4.25 or above.

 

Below is information about these vulnerabilities

 

- A flaw exists in the mod_session_crypto module due to

encryption for data and cookies using the configured

ciphers with possibly either CBC or ECB modes of

operation (AES256-CBC by default). An unauthenticated,

remote attacker can exploit this, via a padding oracle

attack, to decrypt information without knowledge of the

encryption key, resulting in the disclosure of

potentially sensitive information. (CVE-2016-0736)

 

- A denial of service vulnerability exists in the

mod_auth_digest module during client entry allocation.

An unauthenticated, remote attacker can exploit this,

via specially crafted input, to exhaust shared memory

resources, resulting in a server crash. (CVE-2016-2161)

 

- The Apache HTTP Server is affected by a

man-in-the-middle vulnerability known as 'httpoxy' due

to a failure to properly resolve namespace conflicts in

accordance with RFC 3875 section 4.1.18. The HTTP_PROXY

environment variable is set based on untrusted user data

in the 'Proxy' header of HTTP requests. The HTTP_PROXY

environment variable is used by some web client

libraries to specify a remote proxy server. An

unauthenticated, remote attacker can exploit this, via a

crafted 'Proxy' header in an HTTP request, to redirect

an application's internal HTTP traffic to an arbitrary

proxy server where it may be observed or manipulated.

(CVE-2016-5387)

 

- A denial of service vulnerability exists in the

mod_http2 module due to improper handling of the

LimitRequestFields directive. An unauthenticated, remote

attacker can exploit this, via specially crafted

CONTINUATION frames in an HTTP/2 request, to inject

unlimited request headers into the server, resulting in

the exhaustion of memory resources. (CVE-2016-8740)

 

- A flaw exists due to improper handling of whitespace

patterns in user-agent headers. An unauthenticated,

remote attacker can exploit this, via a specially

crafted user-agent header, to cause the program to

incorrectly process sequences of requests, resulting in

interpreting responses incorrectly, polluting the cache,

or disclosing the content from one request to a second

downstream user-agent. (CVE-2016-8743)

 

See also :

 

https://httpd.apache.org/dev/dist/Announcement2.4.html

http://httpd.apache.org/security/vulnerabilities_24.html

https://github.com/apache/httpd/blob/2.4.x/CHANGES

https://www.apache.org/security/asf-httpoxy-response.txt

https://httpoxy.org

Outcomes