Is my Web Agent affected by the Apache CVE-2017-3167 vulnerability?

Document ID:  TEC1455085
Last Modified Date:  07/14/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 SP1

Components

  • SITEMINDER -WEB AGENT FOR APACHE:SMAPC
Question:

I am running Web Agent on Apache 2.4, and as per the ap_get_basic_auth_pw() Authentication Bypass vulnerability (CVE-2017-3167), I wonder if we could be impacted, and if yes, how we could fix it?

Environment:
Web Agent R12.52 SP1
Answer:

As per the description of the CVE-2017-3167:

Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.

Web Agent is not impacted by this vulnerability as the agent does not call this API, but this does not guarantee that Apache Server itself won't call this while handling requests, even if the Web Agent do not.

Hence, upgrading to a non-affected Apache server version (2.4.26 or higher) would be recommendable to ensure the servers are not vulnerable to this.

Additional Information:

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing