Bug 2273491 (CVE-2023-38709)

Summary: CVE-2023-38709 httpd: HTTP response splitting
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anjoseph, asoldano, athreadgill, bbaranow, bdettelb, bmaxwell, bmertens, brian.stansberry, caswilli, cdewolf, chazlett, conathan, csutherl, darran.lofthouse, dfreiber, dkreling, doconnor, dosoudil, eglynn, fjuma, hhorak, istudens, ivassile, iweiss, jburrell, jclere, jjoyce, jorton, jprabhak, jschluet, kaycoth, lgao, lhh, lsvaty, luhliari, mburns, mgarciac, mosmerov, msochure, mstefank, msvehla, nwallace, pesilva, pgrist, pjindal, plodge, pmackay, ralloway, rogbas, rstancel, smaestri, szappis, szhong, teagle, tom.jenkinson, tosorio, vkumar, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.4.59 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in httpd. The response headers are not sanitized before an HTTP response is sent when a malicious backend can insert a Content-Type, Content-Encoding, or some other headers, resulting in an HTTP response splitting.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2273492, 2273493, 2273494, 2273495, 2273496    
Bug Blocks: 2273504    
Attachments:
Description Flags
POC to demonstrate CVE-2023-38709 vulnerability none

Description Pedro Sampaio 2024-04-04 18:52:16 UTC 
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://svn.apache.org/viewvc?view=revision&revision=1916770
Comment 1 Pedro Sampaio 2024-04-04 18:53:21 UTC 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 2273492]
Comment 5 errata-xmlrpc 2024-07-01 08:04:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4197 https://access.redhat.com/errata/RHSA-2024:4197
Comment 6 athreadgill 2024-07-03 19:54:38 UTC 
When applying the patch for this issue it seems to entirely rewrite the /var/www/html folder and deletes its content using the below: 
2.4.37-65.module+el8.10.0+21982+14717793
Comment 7 Bram Mertens 2024-07-05 09:16:38 UTC 
(In reply to athreadgill from comment #6)
> When applying the patch for this issue it seems to entirely rewrite the
> /var/www/html folder and deletes its content using the below: 
> 2.4.37-65.module+el8.10.0+21982+14717793

I'm unable to reproduce this. The scripts included in the httpd package do not touch /var/www/html.
If you are able to reproduce this I recommend opening a support case ideally with an sos report of the situation before and after the update.
Comment 11 szhong 2024-08-09 00:07:05 UTC 
Created attachment 2043759 [details]
POC to demonstrate CVE-2023-38709 vulnerability

I have a POC that demonstrate the patch for Red Hat 8 did not resolve the vulnerability. Steps to reproduce:

1. compile
$ sudo apxs -i -a -c mod_example.c

2. modify /etc/httpd/conf/httpd.conf by adding the following

AddHandler example-handler .sum

3. start httpd

sudo httpd

4. run curl

$ curl -H 'Cookie: abc\r\nContent-Length: 8\r\n<p>a</p>' -IL 'http://localhost/a.sum'
HTTP/1.1 200 OK
Date: Fri, 09 Aug 2024 00:03:43 GMT
Server: Apache/2.4.37 (Rocky Linux)
Content-Length: 18
Content-Type: text/html
Cookie: abc\r\nContent-Length: 8\r\n<p>a</p>; charset=UTF-8

5. Expected behavior

$ curl -H 'Cookie: abc\r\nContent-Length: 8\r\n<p>a</p>' -IL 'http://localhost/a.sum'
HTTP/1.1 500 Internal Server Error
Date: Tue, 06 Aug 2024 20:31:00 GMT
Server: Apache/2.5.1-dev (Unix)
Content-Type: text/html; charset=iso-8859-1
Connection: close
Comment 12 errata-xmlrpc 2024-09-24 11:43:32 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2024:6927 https://access.redhat.com/errata/RHSA-2024:6927
Comment 13 errata-xmlrpc 2024-09-24 11:48:28 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:6928 https://access.redhat.com/errata/RHSA-2024:6928
Comment 14 errata-xmlrpc 2024-11-12 09:14:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9306 https://access.redhat.com/errata/RHSA-2024:9306