CVE-2016-4979

Published on: 07/06/2016 12:00:00 AM UTC

Last Modified on: 03/30/2021 01:12:59 PM UTC

CVE-2016-4979

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Certain versions of Http Server from Apache contain the following vulnerability:

The Apache HTTP Server 2.4.18 through 2.4.20, when mod_http2 and mod_ssl are enabled, does not properly recognize the "SSLVerifyClient require" directive for HTTP/2 request authorization, which allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation.

CVE-2016-4979 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	NONE	HIGH	NONE

CVSS2 Score: 5 - MEDIUM

Access Vector^ⓘ	Access Complexity	Authentication
NETWORK	LOW	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
NONE	PARTIAL	NONE

CVE References

Description	Tags ^ⓘ	Link
oss-security - CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]	www.openwall.com text/html	MLIST [oss-security] 20160705 CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]
Pony Mail!	lists.apache.org text/html	MLIST [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
Pony Mail!	lists.apache.org text/html	MLIST [httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
Apache: Multiple vulnerabilities (GLSA 201610-02) — Gentoo security	security.gentoo.org text/html	GENTOO GLSA-201610-02
Apache 2.4.20 X509 Authentication Bypass ≈ Packet Storm	packetstormsecurity.com text/html	MISC packetstormsecurity.com/files/137771/Apache-2.4.20-X509-Authentication-Bypass.html
Oracle Critical Patch Update - October 2016	www.oracle.com text/html	CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Pony Mail!	lists.apache.org text/html	MLIST [httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
Apache HTTP Server CVE-2016-4979 Authentication Bypass Vulnerability	cve.report (archive) text/html	BID 91566
Pony Mail!	lists.apache.org text/html	MLIST [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
	www.apache.org text/plain	CONFIRM www.apache.org/dist/httpd/CHANGES_2.4
Apache HTTPD HTTP/2 Certificate Validation Flaw Lets Remote Users Bypass Client Certificate Authentication on the Target System - SecurityTracker	www.securitytracker.com text/html	SECTRACK 1036225
modssl: reset client-verify state when renegotiation is aborted · apache/[email protected] · GitHub	github.com text/html	CONFIRM github.com/apache/httpd/commit/2d0e4eff04ea963128a41faaef21f987272e05a2
Pony Mail!	lists.apache.org text/html	MLIST [httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
Pony Mail!	lists.apache.org text/html	MLIST [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
Red Hat Customer Portal	access.redhat.com text/html	REDHAT RHSA-2016:1420
Pony Mail!	lists.apache.org text/html	MLIST [httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/
Full Disclosure: CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]	seclists.org text/html	FULLDISC 20160706 CVE-2016-4979: HTTPD webserver - X509 Client certificate based authentication can be bypassed when HTTP/2 is used [vs]
Oracle Solaris Bulletin - October 2016	www.oracle.com text/html	CONFIRM www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
Pony Mail!	lists.apache.org text/html	MLIST [httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
httpd 2.4 vulnerabilities - The Apache HTTP Server Project	Patch Vendor Advisory httpd.apache.org text/html	CONFIRM httpd.apache.org/security/vulnerabilities_24.html
August 2016 Apache HTTP Server Vulnerabilities in NetApp Products \| NetApp Product Security	security.netapp.com text/html	CONFIRM security.netapp.com/advisory/ntap-20180601-0001/
Pony Mail!	lists.apache.org text/html	MLIST [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

There are currently no QIDs associated with this CVE

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Http Server	2.4.18	All	All	All
Application	Apache	Http Server	2.4.19	All	All	All
Application	Apache	Http Server	2.4.20	All	All	All
Application	Apache	Http Server	2.4.18	All	All	All
Application	Apache	Http Server	2.4.19	All	All	All
Application	Apache	Http Server	2.4.20	All	All	All

cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*:
cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*:
cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*:
cpe:2.3:a:apache:http_server:2.4.18:*:*:*:*:*:*:*:
cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*:
cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE