Vulnerability Description
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | >= 2.4.0, <= 2.4.37 |
| Debian | Debian Linux | 8.0 |
| Netapp | Santricity Cloud Connector | - |
| Netapp | Storage Automation Store | - |
| Canonical | Ubuntu Linux | 14.04 |
| Oracle | Enterprise Manager Ops Center | 12.3.3 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/106742Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2019:3932
- https://access.redhat.com/errata/RHSA-2019:3933
- https://access.redhat.com/errata/RHSA-2019:3935
- https://access.redhat.com/errata/RHSA-2019:4126
- https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e10
- https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f60
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f8
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa
- https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0
- https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbc
FAQ
What is CVE-2018-17199?
CVE-2018-17199 is a vulnerability with a CVSS score of 7.5 (HIGH). In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie session...
How severe is CVE-2018-17199?
CVE-2018-17199 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-17199?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Netapp Santricity Cloud Connector, Netapp Storage Automation Store, Canonical Ubuntu Linux.