Bug 1463194 (CVE-2017-3167)

Summary: CVE-2017-3167 httpd: ap_get_basic_auth_pw() authentication bypass
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apmukher, bmaxwell, cdewolf, chazlett, clichybi, csutherl, darran.lofthouse, dimitris, dosoudil, fgavrilo, fnasser, gzaronik, hhorak, hpham, jason.greene, jawilson, jboss-set, jclere, jdoyle, jkaluza, jondruse, jorton, jshepherd, kbost, lgao, luhliari, mbabacek, mmiura, mturk, myarboro, pahan, pgier, pjurak, ppalaga, pragshar, psakar, pslavice, rnetuka, rstancel, rsvoboda, sardella, taylor.gresser, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20170620,reported=20170620,source=cve,cvss3=7.4/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N,cwe=CWE-592,rhel-5/httpd=wontfix,rhel-6/httpd=affected,rhel-7/httpd=affected,rhscl-2/httpd24-httpd=affected,eap-5/jbossas=notaffected,eap-6/jbossas=wontfix,jbews-1/httpd=wontfix,jbews-2/httpd=wontfix,jbcs-1/httpd=affected,fedora-all/httpd=affected,jbews-3/httpd=defer
Fixed In Version: httpd 2.2.34, httpd 2.4.26 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the use of httpd's ap_get_basic_auth_pw() API function outside of the authentication phase could lead to authentication bypass. A remote attacker could possibly use this flaw to bypass required authentication if the API was used incorrectly by one of the modules used by httpd.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:15:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1463208, 1464872, 1464873, 1465916, 1473691, 1473692, 1473693, 1473696, 1473697, 1510060, 1510061, 1510062    
Bug Blocks: 1463212, 1464082, 1524240    

Description Andrej Nemec 2017-06-20 11:15:58 UTC
Use of the ap_get_basic_auth_pw() in Apache httpd by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

References:

https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4@%3Cdev.httpd.apache.org%3E

External References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://httpd.apache.org/security/vulnerabilities_22.html

Comment 1 Andrej Nemec 2017-06-20 11:37:05 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1463208]

Comment 12 errata-xmlrpc 2017-08-15 18:13:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:2478 https://access.redhat.com/errata/RHSA-2017:2478

Comment 13 errata-xmlrpc 2017-08-15 18:25:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2479 https://access.redhat.com/errata/RHSA-2017:2479

Comment 14 errata-xmlrpc 2017-08-16 23:06:19 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2483 https://access.redhat.com/errata/RHSA-2017:2483

Comment 17 errata-xmlrpc 2017-11-13 17:36:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:3193 https://access.redhat.com/errata/RHSA-2017:3193

Comment 18 errata-xmlrpc 2017-11-13 17:38:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:3195 https://access.redhat.com/errata/RHSA-2017:3195

Comment 19 errata-xmlrpc 2017-11-13 17:40:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:3194 https://access.redhat.com/errata/RHSA-2017:3194

Comment 20 errata-xmlrpc 2017-12-15 22:23:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2017:3475 https://access.redhat.com/errata/RHSA-2017:3475

Comment 21 errata-xmlrpc 2017-12-15 22:35:08 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:3476 https://access.redhat.com/errata/RHSA-2017:3476

Comment 22 errata-xmlrpc 2017-12-15 22:36:39 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:3477 https://access.redhat.com/errata/RHSA-2017:3477