CVE-2017-9798

Name: CVE-2017-9798
Creator: NVD / NIST
Published: 2017-09-18T15:29:00.307+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 95.00%

Last modified Jun 17, 2026

CVE-2017-9798 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. EPSS estimates a 95.00% chance of exploitation in the next 30 days.

Description

Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

95.00%

99.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-416

Affected Software

Vendor	Product	Versions
Apache	Http Server	<= 2.2.34
Apache	Http Server	2.4.0
Apache	Http Server	2.4.1
Apache	Http Server	2.4.2
Apache	Http Server	2.4.3
Apache	Http Server	2.4.4
Apache	Http Server	2.4.6
Apache	Http Server	2.4.7
Apache	Http Server	2.4.9
Apache	Http Server	2.4.10
Apache	Http Server	2.4.12
Apache	Http Server	2.4.16
Apache	Http Server	2.4.17
Apache	Http Server	2.4.18
Apache	Http Server	2.4.20
Apache	Http Server	2.4.23
Apache	Http Server	2.4.25
Apache	Http Server	2.4.26
Apache	Http Server	2.4.27
Debian	Debian Linux	7.0
Debian	Debian Linux	8.0
Debian	Debian Linux	9.0

References

http://openwall.com/lists/oss-security/2017/09/18/2Mailing List, VDB Entry
http://www.debian.org/security/2017/dsa-3980Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
http://www.securityfocus.com/bid/100872Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/105598Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039387Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:2882Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2972Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3018Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3113Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3114Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3193Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3194Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3195Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3239Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3240Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3475Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3476Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3477Third Party Advisory
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.htmlExploit, Patch, Technical Description, Third Party Advisory
https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patchExploit, Patch, Technical Description, Third Party Advisory
https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67aPatch, Vendor Advisory
https://github.com/hannob/optionsbleedExploit, Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798Vendor Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E
https://security-tracker.debian.org/tracker/CVE-2017-9798Third Party Advisory
https://security.gentoo.org/glsa/201710-32Third Party Advisory
https://security.netapp.com/advisory/ntap-20180601-0003/Third Party Advisory
https://support.apple.com/HT208331Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_usThird Party Advisory
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patchVendor Advisory
https://www.exploit-db.com/exploits/42745/Exploit, Third Party Advisory, VDB Entry
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
https://www.tenable.com/security/tns-2019-09Third Party Advisory
http://openwall.com/lists/oss-security/2017/09/18/2Mailing List, VDB Entry
http://seclists.org/fulldisclosure/2024/Sep/22
http://www.debian.org/security/2017/dsa-3980Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatch, Third Party Advisory
http://www.securityfocus.com/bid/100872Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/105598Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039387Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:2882Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2972Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3018Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3113Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3114Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3193Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3194Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3195Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3239Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3240Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3475Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3476Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3477Third Party Advisory
https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.htmlExploit, Patch, Technical Description, Third Party Advisory
https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patchExploit, Patch, Technical Description, Third Party Advisory
https://github.com/apache/httpd/commit/4cc27823899e070268b906ca677ee838d07cf67aPatch, Vendor Advisory
https://github.com/hannob/optionsbleedExploit, Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2017-9798Vendor Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/8d63cb8e9100f28a99429b4328e4e7cebce861d5772ac9863ba2ae6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/f7f95ac1cd9895db2714fa3ebaa0b94d0c6df360f742a40951384a53%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r57608dc51b79102f3952ae06f54d5277b649c86d6533dcd6a7d201f7%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r75cbe9ea3e2114e4271bbeca7aff96117b50c1b6eb7c4772b0337c1f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9ea3538f229874c80a10af473856a81fbf5f694cd7f471cc679ba70b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rcc44594d4d6579b90deccd4536b5d31f099ef563df39b094be286b9e%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rdca61ae990660bacb682295f2a09d34612b7bb5f457577fe17f4d064%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfbaf647d52c1cb843e726a0933f156366a806cead84fbd430951591b%40%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E
https://security-tracker.debian.org/tracker/CVE-2017-9798Third Party Advisory
https://security.gentoo.org/glsa/201710-32Third Party Advisory
https://security.netapp.com/advisory/ntap-20180601-0003/Third Party Advisory
https://support.apple.com/HT208331Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_usThird Party Advisory
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patchVendor Advisory
https://www.exploit-db.com/exploits/42745/Exploit, Third Party Advisory, VDB Entry
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatch, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatch, Third Party Advisory
https://www.tenable.com/security/tns-2019-09Third Party Advisory

Timeline

Published: Sep 18, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2017-9798?

How severe is CVE-2017-9798?

CVE-2017-9798 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 95.00% probability of exploitation in the next 30 days.

How do I fix CVE-2017-9798?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-9798?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST