Bug 1243887 (CVE-2015-3183)
| Summary: | CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ajuricic, bbaranow, bmaxwell, carnil, cdewolf, ceph-eng-bugs, chazlett, cpelland, csutherl, dajohnso, dandread, darran.lofthouse, dclarizi, dosoudil, dsirrine, enagai, fnasser, gblomqui, gmccullo, gtanzill, gzaronik, hasingh, hhorak, hhudgeon, huwang, jason.greene, jawilson, jboss-set, jclere, jdoyle, jfrey, jhardy, jkaluza, joallen, jorton, jprause, jvlcek, kseifried, lgao, luhliari, mbabacek, mfrodl, mmaslano, myarboro, obarenbo, pahan, pgier, psakar, pslavice, rmeggins, rnetuka, roliveri, rsvoboda, simaishi, twalsh, vtunka, webstack-team, weli, wili, xlecauch |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | httpd 2.2.31, httpd 2.4.16 | Doc Type: | Bug Fix |
| Doc Text: |
Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-10 12:51:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1243894, 1249799, 1249800, 1249801, 1249802, 1249803, 1249804, 1257425, 1257426, 1257450, 1257451 | ||
| Bug Blocks: | 1243893, 1286624, 1290842 | ||
|
Description
Vasyl Kaigorodov
2015-07-16 13:58:48 UTC
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1243894] httpd-2.4.16-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. This issue was actually fixed in version 2.4.14. However, as versions 2.4.14 and 2.4.15 were not released, 2.4.16 is the first released upstream version that includes the fix. This issue was also fixed in 2.2.31. Upstream commits in 2.4.x and 2.2.x branches: https://svn.apache.org/viewvc?view=revision&revision=1684515 https://svn.apache.org/viewvc?view=revision&revision=1687338 External References: http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16 http://httpd.apache.org/security/vulnerabilities_22.html#2.2.31 httpd-2.4.16-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. Upstream patch is rather invasive and includes a rewrite of chunked encoding parsing that was applied to upstream trunk in 2013. There are few changes that make parsing more strict, but it does not seem the specific attack vector that was reported upstream was made public. These fixes, in general, apply to all httpd versions as shipped in currently supported Red Hat Enterprise Linux versions.
Assuming the httpd is used as the target host that serves malicious HTTP requests, disabling keep-alive (via KeepAlive Off configuration setting, which is used in the default configuration in Red Hat Enterprise Linux 6 and earlier) will prevent httpd from reading multiple requests from a single TCP connection, and should also prevent it from handling any request that was smuggled through the proxy in front of the httpd.
As disabling keep-alive may be undesired for performance reasons, alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding. Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used. The following mod_rewrite rule will reject requests with Transfer-Encoding: chunked HTTP header:
RewriteEngine on
RewriteCond %{HTTP:Transfer-Encoding} ^chunked$
RewriteRule .* - [R=400]
This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later. If deployed, administrators should monitor httpd logs for increase in the number requests ending with HTTP error code 400 (Bad Request), which may indicate clients actually trying to use chunked encoded requests.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1668 https://rhn.redhat.com/errata/RHSA-2015-1668.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1666 https://rhn.redhat.com/errata/RHSA-2015-1666.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1667 https://rhn.redhat.com/errata/RHSA-2015-1667.html Mitigation:
Disabling keep-alive (via the "KeepAlive Off" configuration setting, which is used in the default configuration in Red Hat Enterprise Linux 6 and earlier) will prevent httpd from reading multiple requests from a single TCP connection, and should also prevent it from handling any request that was smuggled through the proxy in front of the httpd.
As disabling keep-alive may be undesired for performance reasons, an alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding. Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used. The following mod_rewrite rule will reject requests with the "Transfer-Encoding: chunked" HTTP header:
RewriteEngine on
RewriteCond %{HTTP:Transfer-Encoding} ^chunked$
RewriteRule .* - [R=400]
This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later. If deployed, administrators should monitor httpd logs for an increase in the number of requests resulting in HTTP error code 400 (Bad Request), which may indicate legitimate clients actually trying to use chunked encoded requests.
This issue has been addressed in the following products: JBoss Web Server 3.0.2 Via RHSA-2015:2661 https://rhn.redhat.com/errata/RHSA-2015-2661.html This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2015:2660 https://access.redhat.com/errata/RHSA-2015:2660 This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2015:2659 https://access.redhat.com/errata/RHSA-2015:2659 This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2016:0062 https://rhn.redhat.com/errata/RHSA-2016-0062.html This issue has been addressed in the following products: JBEWS 2 for RHEL 7 JBEWS 2 for RHEL 6 JBEWS 2 for RHEL 5 Via RHSA-2016:0061 https://rhn.redhat.com/errata/RHSA-2016-0061.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4.10 Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html |