Bug 1326320 (CVE-2016-3110)

Summary: CVE-2016-3110 mod_cluster: remotely Segfault Apache http server
Product: [Other] Security Response Reporter: Timothy Walsh <twalsh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbaranow, bgollahe, bmaxwell, bperkins, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dknox, jawilson, jclere, jdoyle, kanderso, lgao, mbabacek, mmaslano, myarboro, pgier, psakar, pslavice, rnetuka, rsvoboda, security-response-team, twalsh, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/JWS-363
https://issues.redhat.com/browse/JBCS-35
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that it is possible to remotely Segfault Apache http server with a specially crafted string sent to the mod_cluster via service messages (MCMP).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:50:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1326325, 1326327, 1326328, 1338646, 1374210, 1374211    
Bug Blocks: 1326299    

Description Timothy Walsh 2016-04-12 12:11:43 UTC 
It is possible to remotely Segfault
Apache http server with a specially crafted string
sent to the mod_cluster via service messages (MCMP).

Only the VirtualHost explicitly enabled by an administrator
to receive service messages from worker nodes (Tomcat or EAP workers).
Unless the administrator made a grave mistake in opening an
unsecured mod_cluster management VirtualHost to
the Internet without any authentication, it is impossible
to exploit this bug from an untrusted client.

Special set of mod_cluster management protocol HTTP method
requests. One could pass a certain number of = symbols
in sequence after a legitimate element and cause segfault.
Comment 1 Timothy Walsh 2016-04-12 12:11:54 UTC 
Acknowledgments:

Name: Michal Karm Babacek
Comment 5 errata-xmlrpc 2016-08-22 18:09:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 2.1.1

Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html
Comment 6 errata-xmlrpc 2016-08-22 18:11:14 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6

Via RHSA-2016:1649 https://rhn.redhat.com/errata/RHSA-2016-1649.html
Comment 7 errata-xmlrpc 2016-08-22 18:12:07 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:1648 https://rhn.redhat.com/errata/RHSA-2016-1648.html
Comment 8 Timothy Walsh 2016-09-08 09:07:27 UTC 
Created mod_cluster tracking bugs for this issue:

Affects: fedora-all [bug 1374210]
Affects: epel-6 [bug 1374211]
Comment 9 errata-xmlrpc 2016-10-12 16:59:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4.10

Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html
Comment 10 errata-xmlrpc 2016-10-12 17:08:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html
Comment 11 errata-xmlrpc 2016-10-12 17:19:19 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html