In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://www.openwall.com/lists/oss-security/2018/03/24/7 cve-icon cve-icon
http://www.securityfocus.com/bid/103524 cve-icon cve-icon
http://www.securitytracker.com/id/1040571 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:3558 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:0366 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:0367 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:1898 cve-icon cve-icon
https://httpd.apache.org/security/vulnerabilities_24.html cve-icon cve-icon cve-icon
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2018/05/msg00020.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2018-1312 cve-icon
https://security.netapp.com/advisory/ntap-20180601-0004/ cve-icon cve-icon
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us cve-icon cve-icon
https://usn.ubuntu.com/3627-1/ cve-icon cve-icon
https://usn.ubuntu.com/3627-2/ cve-icon cve-icon
https://usn.ubuntu.com/3937-2/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2018-1312 cve-icon
https://www.debian.org/security/2018/dsa-4164 cve-icon cve-icon
https://www.tenable.com/security/tns-2019-09 cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-09-16T19:14:07.045Z

Reserved: 2017-12-07T00:00:00

Link: CVE-2018-1312

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-03-26T15:29:00.587

Modified: 2024-11-21T03:59:36.213

Link: CVE-2018-1312

cve-icon Redhat

Severity : Low

Publid Date: 2018-03-21T00:00:00Z

Links: CVE-2018-1312 - Bugzilla

cve-icon OpenCVE Enrichment

No data.