Bug 1352476 (CVE-2016-4979)
| Summary: | CVE-2016-4979 httpd: X509 client certificate authentication bypass using HTTP/2 | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | hhorak, jkaluza, jorton, security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | httpd 2.4.23 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the way httpd performed client authentication using X.509 client certificates. When the HTTP/2 protocol was enabled, a remote attacker could use this flaw to access resources protected by certificate authentication without providing a valid client certificate.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-20 16:11:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1353203, 1354583 | ||
| Bug Blocks: | 1352479 | ||
|
Description
Adam Mariš
2016-07-04 09:09:30 UTC
Acknowledgments: Name: Apache Software Foundation Upstream: Erki Aring (Liewenthal Electronics Ltd) Public via: https://mail-archives.apache.org/mod_mbox/httpd-announce/201607.mbox/CVE-2016-4979-68283 Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1353203] Upstream commit: http://svn.apache.org/viewvc?view=revision&revision=1750779 External References: http://httpd.apache.org/security/vulnerabilities_24.html#2.4.23 This issue only affected systems with HTTP/2 protocol enabled. The support for HTTP/2 was only added in httpd version 2.4.18. Therefore, no version of Red Hat Enterprise Linux, Red Hat JBoss Web Server, or Red Hat JBoss Enterprise Application Platform currently include httpd version with HTTP/2 support, and hence were not affected by this issue. The httpd version in the httpd24 collection in Red Hat Software Collections includes support for HTTP/2 as of RHBA-2016:1154: https://rhn.redhat.com/errata/RHBA-2016-1154.html The HTTP/2 protocol remains disabled by default as its support in httpd is still considered experimental. httpd-2.4.23-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. httpd-2.4.23-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1420 https://access.redhat.com/errata/RHSA-2016:1420 |