Bug 1866559 (CVE-2020-11985)

Summary: CVE-2020-11985 httpd: IP address spoofing when proxying using mod_remoteip and mod_rewrite
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, csutherl, gzaronik, hhorak, jclere, jdoyle, jkaluza, jlyle, jorton, jwon, lgao, luhliari, mbabacek, mturk, pahan, pjindal, pslavice, rsvoboda, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.4.24 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the mod_remoteip module shipped with the httpd package. This flaw allows an attacker to spoof the IP address, resulting in the bypass of a mod_rewrite rule. The highest threat from this vulnerability is to integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1867471, 1867472, 1867473, 1868147    
Bug Blocks: 1866566    

Description Pedro Sampaio 2020-08-05 21:54:16 UTC 
A flaw was found in httpd before version 2.4.24. When proxying using mod_remoteip and mod_rewrite its possible to spoof IP addresses.

Upstream patch:

https://svn.apache.org/viewvc?view=revision&revision=1767483
Comment 1 Pedro Sampaio 2020-08-05 21:54:20 UTC 
Acknowledgments:

Name: the Apache project
Comment 3 Ted Jongseok Won 2020-08-06 00:16:33 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Web Server 2

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 7 Guilherme de Almeida Suckevicz 2020-08-11 19:45:42 UTC 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1868147]
Comment 9 Huzaifa S. Sidhpurwala 2020-08-16 09:52:27 UTC 
Statement:

This issue only affects httpd-2.4.x, therefore, httpd packages shipped with Red Hat Enterprise Linux 6 are not affected by this flaw.
Comment 10 Huzaifa S. Sidhpurwala 2020-08-16 10:03:05 UTC 
External References:

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11985