Bug 1352476 (CVE-2016-4979)
|Summary:||CVE-2016-4979 httpd: X509 client certificate authentication bypass using HTTP/2|
|Product:||[Other] Security Response||Reporter:||Adam Mariš <amaris>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||hhorak, jkaluza, jorton, security-response-team|
|Fixed In Version:||httpd 2.4.23||Doc Type:||If docs needed, set a value|
A flaw was found in the way httpd performed client authentication using X.509 client certificates. When the HTTP/2 protocol was enabled, a remote attacker could use this flaw to access resources protected by certificate authentication without providing a valid client certificate.
|Last Closed:||2016-07-20 16:11:06 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1353203, 1354583|
Description Adam Mariš 2016-07-04 09:09:30 UTC
The Apache HTTPD web server (from 2.4.18/r1715255 up to 2.4.23/r1750779) did not validate a X509 client certificate correctly when HTTP/2 is used to access a resource. As a result - a resource thought to be secure and requiring a valid client certificate - would be accessible without authentication provided that the mod_http2 was loaded, h2 or h2c activated, that that the browser used the HTTP/2 protocol and it would do more than one request over a given connection. A third party can gain access to resources on the web server without the requisite credentials. This can then lead to unauthorised disclosure of information. This issue has been fixed in version 2.4.23 (r1750779). As a temporary workaround - HTTP/2 can be disabled by changing the configuration by removing h2 and h2c from the Protocols line(s) in the configuration file. The resulting line should read: Protocols http/1.1
Comment 1 Adam Mariš 2016-07-04 09:09:48 UTC
Acknowledgments: Name: Apache Software Foundation Upstream: Erki Aring (Liewenthal Electronics Ltd)
Comment 2 Martin Prpič 2016-07-06 13:48:29 UTC
Comment 3 Martin Prpič 2016-07-06 13:50:18 UTC
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1353203]
Comment 4 Tomas Hoger 2016-07-07 08:57:29 UTC
Upstream commit: http://svn.apache.org/viewvc?view=revision&revision=1750779 External References: http://httpd.apache.org/security/vulnerabilities_24.html#2.4.23
Comment 7 Tomas Hoger 2016-07-12 10:05:51 UTC
This issue only affected systems with HTTP/2 protocol enabled. The support for HTTP/2 was only added in httpd version 2.4.18. Therefore, no version of Red Hat Enterprise Linux, Red Hat JBoss Web Server, or Red Hat JBoss Enterprise Application Platform currently include httpd version with HTTP/2 support, and hence were not affected by this issue. The httpd version in the httpd24 collection in Red Hat Software Collections includes support for HTTP/2 as of RHBA-2016:1154: https://rhn.redhat.com/errata/RHBA-2016-1154.html The HTTP/2 protocol remains disabled by default as its support in httpd is still considered experimental.
Comment 8 Fedora Update System 2016-07-12 15:01:47 UTC
httpd-2.4.23-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2016-07-15 10:23:17 UTC
httpd-2.4.23-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2016-07-18 15:33:25 UTC
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1420 https://access.redhat.com/errata/RHSA-2016:1420