Bug 1205138 (CVE-2015-0248)

Summary: CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dkochuka, jorton, jrusnack, mdshaikh, security-response-team, sisharma
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Subversion 1.7.20, Subversion 1.8.13 Doc Type: Bug Fix
Doc Text:
An assertion failure flaw was found in the way the SVN server processed certain requests with dynamically evaluated revision numbers. A remote attacker could use this flaw to cause the SVN server (both svnserve and httpd with the mod_dav_svn module) to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-27 10:36:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1207724, 1242733, 1250012, 1250021, 1252262    
Bug Blocks: 1205182    
Attachments:
Description Flags
Patch against 1.7.19
none
Patch against 1.8.11 none

Description Vasyl Kaigorodov 2015-03-24 10:14:07 UTC 
Summary:
========

  Subversion's mod_dav_svn and svnserve servers will trigger an assertion
  while processing some requests with special parameters, which are evaluated
  on the server side.  Assertion will cause svnserve process or the process
  hosting mod_dav_svn module (Apache) to abort.

  This can lead to a DoS.  There are no known instances of this problem
  being exploited in the wild, but an exploit has been tested.

Details:
========

  Subversion's http:// and svn:// protocol support includes certain request
  types with parameters, which are evaluated on the server side.  As an
  example, sometimes clients need to trace the history of the object to its
  origin, while not knowing the exact value of the origin (revision number)
  prior to issuing the request.

  Certain parameter combinations can exploit this behavior and force a server
  into attempting an operation with invalid arguments.  Subversion servers
  guard against these situations with assertion statements, and the default
  behavior for a failed assertion is to abort the current process.

Severity:
=========

  CVSSv2 Base Score: 5.0
  CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

  We consider this to be a medium risk vulnerability.

  Apache HTTPD servers with repositories that allow anonymous reads will be
  vulnerable without authentication.  Many Apache servers will respawn the
  listener processes, but a determined attacker will be able to crash these
  processes as they appear, denying service to legitimate users.  Servers
  using threaded MPMs will close the connection on other clients being
  served by the same process that services the request from the attacker.
  In either case there is an increased processing impact of restarting a
  process and the cost of per process caches being lost.

  Exploiting this behavior against svnserve does not require an attacker to
  authenticate.  A remote attacker can cause svnserve process to terminate
  and thus deny service to users of the server.

  Unfortunately, no special configuration is required and all mod_dav_svn
  and svnserve servers are vulnerable.

Recommendations:
================

  No known workarounds are available.

Acknowledgements:

Red Hat would like to thank the Apache Software Foundation for reporting this issue. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter.
Comment 1 Vasyl Kaigorodov 2015-03-24 12:01:22 UTC 
Created attachment 1005808 [details]
Patch against 1.7.19
Comment 2 Vasyl Kaigorodov 2015-03-24 12:01:34 UTC 
Created attachment 1005809 [details]
Patch against 1.8.11
Comment 3 Martin Prpič 2015-03-31 14:48:59 UTC 
External References:

https://subversion.apache.org/security/CVE-2015-0248-advisory.txt
Comment 4 Martin Prpič 2015-03-31 14:50:26 UTC 
Created subversion tracking bugs for this issue:

Affects: fedora-all [bug 1207724]
Comment 9 Fedora Update System 2015-07-29 01:53:51 UTC 
subversion-1.8.13-7.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2015-08-17 08:10:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1633 https://rhn.redhat.com/errata/RHSA-2015-1633.html
Comment 15 errata-xmlrpc 2015-09-08 13:10:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1742 https://rhn.redhat.com/errata/RHSA-2015-1742.html
Comment 16 Siddharth Sharma 2015-10-27 10:36:51 UTC 
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.