CVE-2017-3169

critical-risk
Published 2017-06-20

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.

Do I need to act?

!
34.5% chance of exploitation in next 30 days
EPSS score — higher than 65% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Apache

References (84)

http://www.debian.org/security/2017/dsa-3896
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Third Party Advisory http://www.securityfocus.com/bid/99134
Third Party Advisory http://www.securitytracker.com/id/1038711
https://access.redhat.com/errata/RHSA-2017:2478
https://access.redhat.com/errata/RHSA-2017:2479
https://access.redhat.com/errata/RHSA-2017:2483
https://access.redhat.com/errata/RHSA-2017:3193
https://access.redhat.com/errata/RHSA-2017:3194
https://access.redhat.com/errata/RHSA-2017:3195
https://access.redhat.com/errata/RHSA-2017:3475
https://access.redhat.com/errata/RHSA-2017:3476
https://access.redhat.com/errata/RHSA-2017:3477
https://github.com/gottburgm/Exploits/tree/master/CVE-2017-3169
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd...
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e10...
https://lists.apache.org/thread.html/84bf7fcc5cad35d355f11839cbdd13cbc5ffc1d3467...
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772...
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f74...
https://lists.apache.org/thread.html/r04e89e873d54116a0635ef2f7061c15acc5ed27ef7...
and 64 more references
71
/ 100
critical-risk
Severity 32/34 · Critical
Exploitability 16/34 · Moderate
Exposure 23/34 · High