Certain Apache server configurations can leak server memory content via a vulnerability called
Optionsbleed — tracked as CVE-2017-9798 — and
detailed on Monday by security researcher Hanno Böck.
The vulnerability is similar to Heartbleed, in the way that attackers can query servers and trick Apache in responding with more data than it intended.
Böck says Optionsbleed is not as severe as Heartbleed because it leaks content processed by the Apache web server process only and not memory content from the underlying machine, including other applications. This means the leaked data is limited to whatever Apache is processing, which is mostly the content of web pages.
Nonetheless, the danger remains, as Optionsbleed could leak content from pages that are only available to authenticated users.
How Optionsbleed works
To understand how Optionsbleed affects servers, you need to know how web servers work. Whenever a client — such as a web browser — makes a request to a server, it usually makes a GET or POST request that retrieves content from the server — a web page or a downloadable file.
Apache servers support many other requests — technically named "methods" — such as PUT, PATCH, HEAD, and more. These methods have been added to Apache releases across time, and are not supported by all servers. In addition, server admins also block access to some of the methods.
To avoid making server requests that go into a black hole, Apache servers support the OPTIONS method. A client can query the server with an OPTIONS request and the server replies with what methods it is allowed to answer.
