Bug 1082903 (CVE-2013-5704)
| Summary: | CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | anil.saldhana, cdewolf, chalbersma, chazlett, dandread, darran.lofthouse, dsirrine, fnasser, grocha, huwang, jason.greene, jawilson, jboss-set, jclere, jdoyle, jkaluza, joallen, jorton, jshort, lgao, mickygough, mmaslano, myarboro, pahan, pcheung, pgier, pslavice, rmeggins, rsvoboda, sardella, security-response-team, slong, twalsh, vdanen, vtunka, webstack-team, weli |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | httpd 2.2.29, httpd 2.4.11 | Doc Type: | Bug Fix |
| Doc Text: |
A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:32:18 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1082908, 1166709, 1167158, 1167159, 1167817, 1175781, 1238189 | ||
| Bug Blocks: | 1082909, 1149710, 1193283, 1204223, 1286624, 1290842 | ||
|
Description
Murray McAllister
2014-04-01 04:48:38 UTC
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1082908] My position on this: http://marc.info/?l=apache-httpd-dev&m=139636309822854&w=2 This could really be considered as a border line security case, perhaps even dismissed as a bug rather than a security flaw. Applications should be careful about making authentication or authorization decisions based on a the presence or absence of a particular header in the HTTP request, as these headers can be easily crafted by malicious users. Presence of mod_headers rules to filter these headers from the user request should not be considered as the only condition on which applications base these decisions. The above being said, there is no upstream fix for this issue yet. Statement: This issue affects the versions of the httpd package as shipped with Red Hat JBoss Enterprise Application Platform 6; and Red Hat JBoss Web Server 2. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Red Hat Certificate System does not use the mod_headers module, even when installed, and is thus not affected by this flaw. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. Red Hat JBoss Enterprise Application Platform 5 and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ This has been patched upstream in Apache 2.2.28/2.2.29 released September 1. Changelog: http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/CHANGES Upstream commit: https://github.com/apache/httpd/commit/bd34b9d92894b7fc01810fc11a059fa30067e431#diff-381c180d963fb4507c77d80edb208224 Upstream commit: http://svn.apache.org/viewvc?view=revision&revision=1610814 Related commit that updated the documentation for the new MergeTrailers configuration directive introduced as part of the fix for this issue, and that can be used to restore old HTTP trailers handling behavior: http://svn.apache.org/viewvc?view=revision&revision=1619821 IssueDescription: A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers. This issue has been addressed in the following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 Via RHSA-2014:1972 https://rhn.redhat.com/errata/RHSA-2014-1972.html httpd-2.4.10-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0325 https://rhn.redhat.com/errata/RHSA-2015-0325.html httpd-2.4.10-15.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. This does not affect certificate server as it does not use the unset directive. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1249 https://rhn.redhat.com/errata/RHSA-2015-1249.html This issue has been addressed in the following products: JBoss Web Server 3.0.2 Via RHSA-2015:2661 https://rhn.redhat.com/errata/RHSA-2015-2661.html This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2015:2660 https://access.redhat.com/errata/RHSA-2015:2660 This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2015:2659 https://access.redhat.com/errata/RHSA-2015:2659 This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2016:0062 https://rhn.redhat.com/errata/RHSA-2016-0062.html This issue has been addressed in the following products: JBEWS 2 for RHEL 7 JBEWS 2 for RHEL 6 JBEWS 2 for RHEL 5 Via RHSA-2016:0061 https://rhn.redhat.com/errata/RHSA-2016-0061.html |