Bug 1142573 (CVE-2014-3616)

Summary: CVE-2014-3616 nginx: virtual host confusion
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: affix, athmanem, carnil, jeremy, jkaluza, jorton, mickygough, mmaslano, pavel.lisy, peter.borsa, vdanen, webstack-team, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-12 08:37:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1142575, 1142576, 1142661    
Bug Blocks: 1142578    

Description Murray McAllister 2014-09-17 04:48:55 UTC 
Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered a virtual host confusion issue in nginx, allowing HTTPS connections for one origin to be redirected to the virtual host of a different origin. This leads to a variety of issues, such as cookie theft and session hijacking. It could be triggered from a cross-site scripting flaw, tricking a user into visiting a malicious URL, and so on.

The upstream changelog describes the issue as:

""
it was possible to reuse SSL sessions in unrelated contexts
if a shared SSL session cache or the same TLS session ticket key was
used for multiple "server" blocks
""

Full details and some mitigation strategies are available in their paper:

http://bh.ht.vc/vhost_confusion.pdf

It is reported that this issue affected nginx versions 0.5.6 to 1.7.4, and has been fixed in the 1.6.2 and 1.7.5 releases:

http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html

Upstream patch:

http://trac.nginx.org/nginx/changeset/5841/nginx

External References:

http://bh.ht.vc/vhost_confusion.pdf
Comment 1 Murray McAllister 2014-09-17 04:50:38 UTC 
Created nginx tracking bugs for this issue:

Affects: fedora-all [bug 1142575]
Affects: epel-all [bug 1142576]
Comment 5 Fedora Update System 2014-09-30 01:53:24 UTC 
nginx-1.6.2-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-10-10 15:59:39 UTC 
nginx-1.4.7-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-10-10 16:07:47 UTC 
nginx-1.4.7-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-10-23 16:06:40 UTC 
nginx-1.6.2-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Tomas Hoger 2014-11-06 08:56:47 UTC 
This issue affected the nginx14-nginx packages as shipped in Red Hat Software Collections 1.  This collection was replaced by nginx16 collection in Red Hat Software Collections 1.2, which includes a fix for this issue.  The nginx14-nginx are no longer supported and will not be fixed.

https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/1/html/1.2_Release_Notes/chap-RHSCL.html#sect-RHSCL-Changes
https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/1/html/1.2_Release_Notes/chap-Migration.html#sect-Migration-Migrate_nginx
Comment 11 Fedora Update System 2014-11-09 15:39:30 UTC 
nginx-1.0.15-10.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.