Is my Web Agent affected by the Apache CVE-2017-3167 vulnerability?

Document ID : KB000015106
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

I am running Web Agent on Apache 2.4, and as per the ap_get_basic_auth_pw() Authentication Bypass vulnerability (CVE-2017-3167), I wonder if we could be impacted, and if yes, how we could fix it?

Environment:
Web Agent R12.52 SP1
Answer:

As per the description of the CVE-2017-3167:

Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.
Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.

Web Agent is not impacted by this vulnerability as the agent does not call this API, but this does not guarantee that Apache Server itself won't call this while handling requests, even if the Web Agent do not.

Hence, upgrading to a non-affected Apache server version (2.4.26 or higher) would be recommendable to ensure the servers are not vulnerable to this.

Additional Information: