Overview
This document addresses concerns about ePO and an Apache vulnerability. This report reflects questions about CVE-2017-9798, and refers to the following Apache Security Advisory.

Description
Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations (for example, Optionsbleed). The attacker sends an unauthenticated OPTIONS HTTP request when trying to read secret data. This issue is a use-after-free issue, so secret data is not always sent. The specific data depends on many factors, including configuration.

Research and Conclusions
The engineering team has researched the CVE and the conclusion is that ePO is not vulnerable.

The OPTIONS HTTP method is by default disabled in ePO Apache server. Anyone running OPTIONS against ePO Apache sees a 403 Forbidden HTTP response. By default, we do not have any misconfigurations or incorrect settings to the Limit directive in our Apache configuration file, which is one of the root causes of this vulnerability.

NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.