Bug 1375968 (CVE-2016-4975)

Summary: CVE-2016-4975 httpd: CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir
Product: [Other] Security Response Reporter: Timothy Walsh <twalsh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbaranow, bmaxwell, cdewolf, chazlett, cperry, csutherl, dandread, darran.lofthouse, dimitris, dmoppert, dosoudil, fnasser, gzaronik, hhorak, huzaifas, jason.greene, jawilson, jclere, jdoyle, jondruse, jorton, lgao, luhliari, mbabacek, mkoepke, mturk, myarboro, ppalaga, pslavice, rnetuka, rstancel, rsvoboda, security-response-team, sfowler, sstavrev, thoger, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.2.32, httpd 2.4.25 Doc Type: If docs needed, set a value
Doc Text:
It was found that Apache was vulnerable to a HTTP response splitting attack for sites which use mod_userdir. An attacker could use this flaw to inject CRLF characters into the HTTP header and could possibly gain access to secure data.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:51:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1375970, 1375971, 1624693    
Bug Blocks: 1441206    

Description Timothy Walsh 2016-09-14 11:27:50 UTC 
Apache httpd before versions 2.2.32 and 2.4.25 are vulnerable to possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value.
Comment 10 Sam Fowler 2018-08-16 03:21:35 UTC 
External References:

https://httpd.apache.org/security/vulnerabilities_22.html#CVE-2016-4975
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975
Comment 11 Timothy Walsh 2018-08-21 08:45:34 UTC 
The recent release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 contained the fix for CVE-2016-4975.
Comment 12 Huzaifa S. Sidhpurwala 2018-09-03 05:42:04 UTC 
Upstream patch:

https://svn.apache.org/viewvc?view=revision&revision=1777405 (This contains commits for some other non-security issues as well)
Comment 14 mkoepke 2018-10-17 16:28:27 UTC 
Is this CVE not going to be security backported to Apache HTTP Server 2.2.15?   It is getting flagged in security scans for RHEL6/Centos6 deployments as they use HTTP 2.2.
Comment 15 Sam Fowler 2018-10-17 23:44:55 UTC 
In reply to comment #14:
> Is this CVE not going to be security backported to Apache HTTP Server
> 2.2.15?   It is getting flagged in security scans for RHEL6/Centos6
> deployments as they use HTTP 2.2.

RHEL 6 is currently in Maintenance Support Phase 2:

> During the Maintenance Support 2 Phase, Critical impact Security Advisories (RHSAs) and 
> selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. 
> Other errata advisories may be delivered as appropriate.

As this flaw has been rated Moderate, it is unlikely to receive a fix in RHEL 6. Please direct further support related queries to <secalert>.

https://access.redhat.com/support/policy/updates/errata/#Maintenance_Support_2_Phase
Comment 17 Jean-frederic Clere 2018-11-05 09:21:49 UTC 
It is public and was mitigated in 2.4.25,
Comment 25 Huzaifa S. Sidhpurwala 2019-12-20 06:33:49 UTC 
Joe,

Does this mean that after the fix for CVE-2016-8743 is applied, this issue is resolved and we no longer this need this CVE?