Bug 1695020 (CVE-2019-0217)

Summary: CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condition
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Maryna Nalbandian <mnalband>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, bmcclain, csutherl, dblechte, dfediuck, eedri, fadamo, gandavar, gzaronik, hhorak, huzaifas, jclere, jdoyle, jkaluza, jorton, lgao, luhliari, mbabacek, mgoldboi, michal.skrivanek, mturk, myarboro, pahan, pslavice, rsvoboda, sbonazzo, sherold, twalsh, weli, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.4.39 Doc Type: If docs needed, set a value
Doc Text:
A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 19:20:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1695046, 1696140, 1696141, 1696142    
Bug Blocks: 1694984    

Description Dhananjay Arunesh 2019-04-02 10:10:17 UTC 
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Comment 1 Dhananjay Arunesh 2019-04-02 10:12:12 UTC 
External References:

https://httpd.apache.org/security/vulnerabilities_24.html
http://www.apache.org/dist/httpd/CHANGES_2.4
Comment 3 Dhananjay Arunesh 2019-04-02 11:32:50 UTC 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1695046]
Comment 4 Huzaifa S. Sidhpurwala 2019-04-04 06:55:06 UTC 
Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1855298
Comment 8 Huzaifa S. Sidhpurwala 2019-04-04 08:31:10 UTC 
Analysis:

This issue only affected Digest authentication configurations. If the attacker is able to win the race condition, it is possible that with valid credentials of one user, the attacker can login as some other user (without knowing the credentials for that user). Also only threaded MPM configurations are affected.

Red Hat Enterprise Linux 7 and Red Hat Software Collections do not ship httpd package in threaded MPM configuration by default.

Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact.
Comment 12 Doran Moppert 2019-04-09 02:46:05 UTC 
rhvm-appliance does not use Digest authentication, thus marking it notaffected.
Comment 15 Huzaifa S. Sidhpurwala 2019-05-15 09:41:31 UTC 
Statement:

Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Comment 18 Huzaifa S. Sidhpurwala 2019-05-22 05:58:47 UTC 
Mitigation:

This flaw only affects a threaded server configuration, so using the prefork MPM is an effective mitigation.  In versions of httpd package shipped with Red Hat Enterprise Linux 7, the prefork MPM is the default configuration.
Comment 19 errata-xmlrpc 2019-08-06 12:42:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2343 https://access.redhat.com/errata/RHSA-2019:2343
Comment 20 Product Security DevOps Team 2019-08-06 19:20:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-0217
Comment 22 errata-xmlrpc 2019-11-05 20:54:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3436 https://access.redhat.com/errata/RHSA-2019:3436
Comment 23 errata-xmlrpc 2019-11-20 16:08:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935
Comment 24 errata-xmlrpc 2019-11-20 16:13:32 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933
Comment 25 errata-xmlrpc 2019-11-20 16:21:10 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932
Comment 26 errata-xmlrpc 2019-12-10 07:57:15 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:4126 https://access.redhat.com/errata/RHSA-2019:4126