Apache HTTP Server CVE-2016-0736 Remote Security Vulnerability

Apache HTTP Server is prone to a remote security vulnerability.

An attacker can leverage this issue to bypass security restrictions and perform unauthorized actions. This may aid in further attacks.

Apache versions 2.4.x through 2.4.23 are vulnerable.

Information

Bugtraq ID: 95078
Class: Design Error
CVE: CVE-2016-0736

Remote: Yes
Local: No
Published: Dec 20 2016 12:00AM
Updated: Apr 17 2017 12:05AM
Credit: RedTeam Pentesting GmbH.
Vulnerable: Redhat Enterprise Linux Workstation Optional 7
Redhat Enterprise Linux Workstation 7
Redhat Enterprise Linux Server Optional 7
Redhat Enterprise Linux Server 7
Redhat Enterprise Linux ComputeNode Optional 7
Redhat Enterprise Linux Client Optional 7
Gentoo Linux
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
Apple macOS 10.12.3
Apache Apache 2.4.23
Apache Apache 2.4.20
Apache Apache 2.4.19
Apache Apache 2.4.18
Apache Apache 2.4.17
Apache Apache 2.4.16
Apache Apache 2.4.14
Apache Apache 2.4.12
Apache Apache 2.4.11
Apache Apache 2.4.10
Apache Apache 2.4.5
Apache Apache 2.4.4
Apache Apache 2.4.9
Apache Apache 2.4.8
Apache Apache 2.4.7
Apache Apache 2.4.6
Apache Apache 2.4.3
Apache Apache 2.4.2
Apache Apache 2.4.13
Apache Apache 2.4.1
Apache Apache 2.4.0

Not Vulnerable: Apple Security Update 2017-001 Yosemite 0
Apple Security Update 2017-001 El Capitan 0
Apple macOS 10.12.4
Apache Apache 2.4.25

References:

• Bug 1406744 - (CVE-2016-0736) CVE-2016-0736 httpd: Padding Oracle in Apache mod (Redhat)
  
• Apache httpd 2.4 vulnerabilities (Apache)
  

Source: www.securityfocus.com