CVE-2016-4975
Posted: 2019/05/21 16:58:13
Hi folks,
On a digital ocean server, we are using Apache 2.2.15 httpd-2.2.15-69.el6.centos.src.rpm
On CentOS release 6.7 (Final) (Linux version 2.6.32-573.8.1.el6.x86_64)
Looks like nothing's available:
yum list available httpd\*
I cannot find that CVE-2016-4975 is for sure affecting us or has been patched, most hits seem to imply it's basically unfixed... maybe due to some updates around this vulnerability at NIST it has become an issue for this patch level.
So I started at the beginning:
https://access.redhat.com/articles/2123171
https://access.redhat.com/errata/#/
Looking up pages for: CVE-2016-4975
Three Search Results:
https://access.redhat.com/errata/#/?q=C ... sc&rows=10
Seems for openssl only, but shows up
https://access.redhat.com/errata/RHSA-2018:2185
https://access.redhat.com/errata/RHSA-2018:2186
This one is openssl, and, curl, and some others etc:
https://access.redhat.com/errata/RHSA-2018:2486
But those above are fixed packages, so logically if the relevant package is not there, it has not been fixed.
However, some RH pages state "Will not fix" on them, and I'm having trouble finding that being confirmed for RHEL6 branch.
Also, the above references "Red Hat JBoss Core Services Pack Apache Server..."
I don't think we're running JBoss Core Services Pack?
Especially after reading this:
https://access.redhat.com/solutions/341413
Also, if the CVE in question is listed in the "Fixes" section of each of these, what does that mean? Just related? Or should I go looking at curl and the other 3 or packages for changelogs and/or updates?
Anyway, I went here:
https://access.redhat.com/security/cve/cve-2016-4975
And there it does indeed says "Will not fix" for RHEL6
Finally, I went here:
https://bugzilla.redhat.com/show_bug.cgi?id=1375968
Scrolled down, and discussion suggests due to rating it is unlikely to get fix considering phase2 support for RHEL6.
Here's the specific CVE page at various places:
https://access.redhat.com/security/cve/cve-2016-4975
http://cve.mitre.org/cgi-bin/cvename.cg ... -2016-4975
Then the apache 2.2 page, I searched many of the terms on this page in the rpm info with grep and came up empty ("CR"/LF/"CRLF"/"I/injection":
https://httpd.apache.org/security/vulne ... -2016-4975
It's Listed here, but, "We are not aware of any exploits":
https://www.securityfocus.com/bid/105093/exploit
This seems to be pretty clear that the version is affected "(Affected 2.2.0-2.2.31)"
Also, according to this page, the analysis was modified Feb 7, 2019, and is again under analysis that will result in potential changes...
https://nvd.nist.gov/vuln/detail/CVE-2016-4975
Didn't glean anything from this, it's just referenced by MITRE:
https://security.netapp.com/advisory/nt ... 0926-0006/
Nor the HP Enterprise page, just links to their updated 2.4.x package
I like this website, but I'm never sure how complete/canonically accurate it is when cross referencing with a CentOS server.
https://www.cvedetails.com/cve/CVE-2016-4975/
On a digital ocean server, we are using Apache 2.2.15 httpd-2.2.15-69.el6.centos.src.rpm
On CentOS release 6.7 (Final) (Linux version 2.6.32-573.8.1.el6.x86_64)
Looks like nothing's available:
yum list available httpd\*
I cannot find that CVE-2016-4975 is for sure affecting us or has been patched, most hits seem to imply it's basically unfixed... maybe due to some updates around this vulnerability at NIST it has become an issue for this patch level.
So I started at the beginning:
https://access.redhat.com/articles/2123171
https://access.redhat.com/errata/#/
Looking up pages for: CVE-2016-4975
Three Search Results:
https://access.redhat.com/errata/#/?q=C ... sc&rows=10
Seems for openssl only, but shows up
https://access.redhat.com/errata/RHSA-2018:2185
https://access.redhat.com/errata/RHSA-2018:2186
This one is openssl, and, curl, and some others etc:
https://access.redhat.com/errata/RHSA-2018:2486
But those above are fixed packages, so logically if the relevant package is not there, it has not been fixed.
However, some RH pages state "Will not fix" on them, and I'm having trouble finding that being confirmed for RHEL6 branch.
Also, the above references "Red Hat JBoss Core Services Pack Apache Server..."
I don't think we're running JBoss Core Services Pack?
Especially after reading this:
https://access.redhat.com/solutions/341413
Also, if the CVE in question is listed in the "Fixes" section of each of these, what does that mean? Just related? Or should I go looking at curl and the other 3 or packages for changelogs and/or updates?
Anyway, I went here:
https://access.redhat.com/security/cve/cve-2016-4975
And there it does indeed says "Will not fix" for RHEL6
Finally, I went here:
https://bugzilla.redhat.com/show_bug.cgi?id=1375968
Scrolled down, and discussion suggests due to rating it is unlikely to get fix considering phase2 support for RHEL6.
Here's the specific CVE page at various places:
https://access.redhat.com/security/cve/cve-2016-4975
http://cve.mitre.org/cgi-bin/cvename.cg ... -2016-4975
Then the apache 2.2 page, I searched many of the terms on this page in the rpm info with grep and came up empty ("CR"/LF/"CRLF"/"I/injection":
https://httpd.apache.org/security/vulne ... -2016-4975
It's Listed here, but, "We are not aware of any exploits":
https://www.securityfocus.com/bid/105093/exploit
This seems to be pretty clear that the version is affected "(Affected 2.2.0-2.2.31)"
Also, according to this page, the analysis was modified Feb 7, 2019, and is again under analysis that will result in potential changes...
https://nvd.nist.gov/vuln/detail/CVE-2016-4975
Didn't glean anything from this, it's just referenced by MITRE:
https://security.netapp.com/advisory/nt ... 0926-0006/
Nor the HP Enterprise page, just links to their updated 2.4.x package
I like this website, but I'm never sure how complete/canonically accurate it is when cross referencing with a CentOS server.
https://www.cvedetails.com/cve/CVE-2016-4975/