CVE-2017-3169

CRITICAL

Apache HTTP Server - NULL Pointer Dereference

Title source: rule

Description

In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port.

Exploits (2)

github WORKING POC 1 stars

by vaishakhcv · perlpoc

https://github.com/vaishakhcv/CVE-exploits/tree/master/CVE-2017-3169

View Code ZIP pw:eip

github WORKING POC

by winterwolf32 · perlpoc

https://github.com/winterwolf32/CVE_Exploits-/tree/master/CVE-2017-3169

View Code ZIP pw:eip

References (42)

[Vendor Advisory] https://support.apple.com/HT208221

[Vendor Advisory] https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03908en_us

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3896

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/99134

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1038711

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:2478

[Various Sources] https://github.com/gottburgm/Exploits/tree/master/CVE-2017-3169

[Mitigation, Third Party Advisory] https://www.nomachine.com/SU08O00185

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20180601-0002/

[Third Party Advisory] https://security.gentoo.org/glsa/201710-32

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:2479

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:2483

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3193

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3194

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3195

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3475

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3476

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:3477

[Vendor Advisory] http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

[Third Party Advisory] https://www.tenable.com/security/tns-2019-09

... and 22 more

Scores

CVSS v3 9.8

EPSS 0.3452

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-476

Status draft

Affected Products (34)

apache/http_server

... and 19 more

Timeline

Published Jun 20, 2017

Tracked Since Feb 18, 2026