Vulnerability CVE-2017-9798 was discovered in Apache.
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c.
This issue affects the versions of httpd as shipped with OS distributions.
In order to be vulnerable, .htaccess files need to contain an invalid or not globally registered HTTP method in a "Limit" directive.
A remote user can obtain potentially sensitive information on the target system in certain cases.
Call to Action
For Debian 8 / Ubuntu 14/16
On Plesk Onyx, go to Tools & Settings > System Updates - Check for Updates. Refresh the page and select all Apache packages, click Update.
Or using SSH connection, update Apache package from OS repository:
# apt-get update && apt-get upgrade apache
For Debian 7
Perform dist-upgrade: How to perform dist-upgrade procedure on server with Plesk
For CentOS 6/7 / RHEL 6/7 / CloudLinux 6/7
The fixed versions of packages will be released soon by OS vendor.
For RHEL 5
Perform a migration to a higher OS version.