Bug 1032266 (CVE-2013-4547)

Summary: CVE-2013-4547 nginx: security restriction bypass flaw due to whitespace parsing
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: affix, athmanem, gianluca.varisco, jeremy, jkaluza, jorton, jrusnack, pavel.lisy, peter.borsa, tis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nginx 1.5.7, nginx 1.4.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-18 21:20:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1032267, 1032269, 1032270    
Bug Blocks:    

Description Vincent Danen 2013-11-19 21:10:01 UTC 
It was reported [1] that nginx suffered from a flaw where an attacker could bypass security restrictions in certain configurations due to how the HTTP request parser handled URI's with an unescaped space character.

This problem affects nginx 0.8.41 through to 1.5.6; new 1.5.7 and 1.4.4 releases are available to correct this.  A patch [2] also exists for older versions.

As a temporary workaround the following configuration can be used in each server{} block:

    if ($request_uri ~ " ") {
        return 444;
    } 

[1] http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html
[2] http://nginx.org/download/patch.2013.space.txt
Comment 1 Vincent Danen 2013-11-19 21:11:41 UTC 
Created nginx tracking bugs for this issue:

Affects: fedora-all [bug 1032267]
Affects: epel-5 [bug 1032269]
Affects: epel-6 [bug 1032270]
Comment 3 Fedora Update System 2013-12-02 09:36:29 UTC 
nginx-1.4.4-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2013-12-14 03:27:58 UTC 
nginx-1.4.4-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2014-11-30 19:13:44 UTC 
nginx-0.8.55-6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-11-30 19:20:32 UTC 
nginx-1.0.15-11.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.