Is my Web Agent affected by the Apache CVE-2017-3167 vulnerability?

Document ID:  TEC1455085
Last Modified Date:  07/14/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 SP1

Components

  • SITEMINDER -WEB AGENT FOR APACHE:SMAPC
Question:

I am running Web Agent on Apache 2.4, and as per the ap_get_basic_auth_pw() Authentication Bypass vulnerability (CVE-2017-3167), I wonder if we could be impacted, and if yes, how we could fix it?

Environment:
Web Agent R12.52 SP1
Answer:

As per the description of the CVE-2017-3167:

Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.

Web Agent is not impacted by this vulnerability as the agent does not call this API, but this does not guarantee that Apache Server itself won't call this while handling requests, even if the Web Agent do not.

Hence, upgrading to a non-affected Apache server version (2.4.26 or higher) would be recommendable to ensure the servers are not vulnerable to this.

Additional Information:

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >