search cancel

Is my Web Agent affected by the Apache CVE-2017-3167 vulnerability?


Article ID: 15106


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


I am running Web Agent on Apache 2.4, and as per the ap_get_basic_auth_pw() Authentication Bypass vulnerability (CVE-2017-3167), I wonder if we could be impacted, and if yes, how we could fix it?


Web Agent R12.51, R12.52 SP1


As per the description of the CVE-2017-3167:

Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.

Web Agent is not impacted by this vulnerability as the agent does not call this API, but this does not guarantee that Apache Server itself won't call this while handling requests, even if the Web Agent do not.

Hence, upgrading to a non-affected Apache server version (2.4.26 or higher) would be recommendable to ensure the servers are not vulnerable to this.

Additional Information