NoMachine Support

Your questions answered

Knowledge Base

Searching in: Software Updates
Filter the search results
Released on:
Searching in: Software Updates
ID: SU09O00188
Released on:  2017-09-20
Last update: 2017-09-20
Vulnerability in Apache httpd

Luxembourg, September 20th, 2017

A vulnerability has been found in the Apache's web server httpd component which allows remote attackers to read secret data from process memory if the Limit directive is set in a user's .htaccess file, or if httpd.conf contains certain misconfigurations, also known as Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27.

A CVE is available:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9798

and additional details of Optionsbleed are available here:

https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html

Administrators of NoMachine Cloud Server, which uses Apache 2.4.27, can continue to provide web-based access to users provided that they do not put .htaccess with a bad Limit directive into the html root of the server installation.

NoMachine developers will release the fix in the next scheduled release. Should customers have any questions, they are invited to contact the support team.

 

The NoMachine Security Team