Bug 1157281 (CVE-2014-8566)

Summary: CVE-2014-8566 mod_auth_mellon: remote memory disclosure flaw
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agriffit, security-response-team, ssorce, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An information disclosure flaw was found in mod_auth_mellon's session handling that could lead to session overlapping in memory. A remote attacker could potentially use this flaw to obtain data from another user's session.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-05 13:13:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1157283, 1157284    
Bug Blocks: 1157286    

Description Murray McAllister 2014-10-26 23:09:54 UTC 
mod_auth_mellon provides a SAML 2.0 authentication module for the Apache HTTP Server. A flaw was found that could result in sessions overlapping in memory. A remote attacker could use this flaw to leak memory that possibly contains sensitive information.
Comment 3 Simo Sorce 2014-10-27 12:55:01 UTC 
Note that it is not totally clear to me that memory is disclosed remotely, it certainly is discolosed to local applications in apache variables.
However such a leak could result in disclosures if the right vartiables are affect, also segfaults have been reported, so perhaps even exploitable in some cases.
Comment 5 Murray McAllister 2014-10-28 05:57:34 UTC 
Acknowledgements:

Red Hat would like to thank the mod_auth_mellon team for reporting this issue. Upstream acknowledges Matthew Slowe as the original reporter.
Comment 8 Simo Sorce 2014-11-03 14:14:37 UTC 
Issue is public now:
https://postlister.uninett.no/sympa/arc/modmellon/2014-11/msg00000.html
Comment 9 Murray McAllister 2014-11-04 01:38:48 UTC 
(In reply to Murray McAllister from comment #0)
> mod_auth_mellon provides a SAML 2.0 authentication module for the Apache
> HTTP Server. A flaw was found that could result in sessions overlapping in
> memory. A remote attacker could use this flaw to leak memory that possibly
> contains sensitive information.

Upstream describes this issue as:

It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)
Comment 10 Martin Prpič 2014-11-04 08:38:32 UTC 
IssueDescription:

An information disclosure flaw was found in mod_auth_mellon's session handling that could lead to session overlapping in memory. A remote attacker could potentially use this flaw to obtain data from another user's session.
Comment 11 errata-xmlrpc 2014-11-05 09:52:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1803 https://rhn.redhat.com/errata/RHSA-2014-1803.html
Comment 12 Huzaifa S. Sidhpurwala 2014-11-05 13:13:54 UTC 
Fedora 21 already ships mod_auth_mellon-0.9.1-1.fc21 and therefore is not affected by this issue.