CVE-2016-4979

Published on: 07/06/2016 12:00:00 AM UTC

Last Modified on: 03/30/2021 01:12:59 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Certain versions of Http Server from Apache contain the following vulnerability:

The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.

  • CVE-2016-4979 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE HIGH NONE

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
oss-security - CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs] www.openwall.com
text/html
URL Logo MLIST [oss-security] 20160705 CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
Apache: Multiple vulnerabilities (GLSA 201610-02) — Gentoo security security.gentoo.org
text/html
URL Logo GENTOO GLSA-201610-02
Apache 2.4.20 X509 Authentication Bypass ≈ Packet Storm packetstormsecurity.com
text/html
URL Logo MISC packetstormsecurity.com/files/137771/Apache-2.4.20-X509-Authentication-Bypass.html
Oracle Critical Patch Update - October 2016 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
Apache HTTP Server CVE-2016-4979 Authentication Bypass Vulnerability cve.report (archive)
text/html
URL Logo BID 91566
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
www.apache.org
text/plain
CONFIRM www.apache.org/dist/httpd/CHANGES_2.4
Apache HTTPD HTTP/2 Certificate Validation Flaw Lets Remote Users Bypass Client Certificate Authentication on the Target System - SecurityTracker www.securitytracker.com
text/html
URL Logo SECTRACK 1036225
modssl: reset client-verify state when renegotiation is aborted · apache/[email protected] · GitHub github.com
text/html
URL Logo CONFIRM github.com/apache/httpd/commit/2d0e4eff04ea963128a41faaef21f987272e05a2
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1420
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/
Full Disclosure: CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs] seclists.org
text/html
URL Logo FULLDISC 20160706 CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]
Oracle Solaris Bulletin - October 2016 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
httpd 2.4 vulnerabilities - The Apache HTTP Server Project Patch
Vendor Advisory
httpd.apache.org
text/html
URL Logo CONFIRM httpd.apache.org/security/vulnerabilities_24.html
August 2016 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security security.netapp.com
text/html
URL Logo CONFIRM security.netapp.com/advisory/ntap-20180601-0001/
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationApacheHttp Server2.4.18AllAllAll
ApplicationApacheHttp Server2.4.19AllAllAll
ApplicationApacheHttp Server2.4.20AllAllAll
ApplicationApacheHttp Server2.4.18AllAllAll
ApplicationApacheHttp Server2.4.19AllAllAll
ApplicationApacheHttp Server2.4.20AllAllAll
  • cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*: