OptionsBleed is the name of a high severity vulnerability tracked as CVE-2017-9798 and discovered by security researcher Hanno Böck. The bug potentially threatens to disclose data from servers in a similar sort of way that Heartbleed did a few years ago.
The researcher (Hanno Böck) said that Optionsbleed bug is not similar to Heartbleed because it reveals content processed by the Apache web server process only and not the memory content from the other processes on the server, including other running apps. And that means that the disclosed data is restricted only to whatever Apache is processing, which is mostly the content of web pages.
However, the threat remains, as the Optionsbleed bug could disclose content from web pages that are only accessible to authenticated users.
According to the researcher:
“Optionsbleed is a use after free error in Apache HTTP that causes a corrupted Allow header to be constructed in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain secrets. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.”
The vulnerability affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. If you run an Apache web server you should update. Administrators should have updated their packages by now or ASAP.
