CVE-2017-15710

Name of the Vulnerable Software and Affected Versions Apache httpd versions 2.0.23 through 2.0.65 Apache httpd versions 2.2.0 through 2.2.34 Apache httpd versions 2.4.0 through 2.4.29

Description The issue is related to the mod authnz ldap component in Apache httpd, specifically when configured with AuthLDAPCharsetConfig. It uses the Accept-Language header value to determine the correct charset encoding for user credential verification. If the header value is not found in the charset conversion table, it is truncated to a two-character value. A header value with less than two characters can cause an out-of-bounds write of a NUL byte to a memory location, potentially leading to a Denial of Service attack, although this is unlikely. In most cases, the memory is already reserved for future use, and the issue has no effect.

Recommendations For Apache httpd versions 2.0.23 through 2.0.65, consider disabling the AuthLDAPCharsetConfig to prevent the issue until a patch is available. For Apache httpd versions 2.2.0 through 2.2.34, consider disabling the AuthLDAPCharsetConfig to prevent the issue until a patch is available. For Apache httpd versions 2.4.0 through 2.4.29, consider disabling the AuthLDAPCharsetConfig to prevent the issue until a patch is available. As a temporary workaround, consider restricting access to the Accept-Language header to minimize the risk of exploitation.