Bug 740045 (CVE-2011-3368)
Summary: | CVE-2011-3368 httpd: reverse web proxy vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bhoefer, jlieskov, jorton, mehmetgelisin, mishu, mjc, mkarg, moshiro, prc, security-response-team, shsaha, wnefal+redhatbugzilla |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | httpd 2.2.22 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-05-07 19:34:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 743659, 743901, 743902, 743903, 743904, 746695, 746696, 746697, 785070 | ||
Bug Blocks: | 736705 |
Description
Vincent Danen
2011-09-20 19:13:37 UTC
Part of the problem is that httpd documentation was giving a bad example, that is probably going to get corrected in future upstream releases: http://httpd.apache.org/docs/2.2/rewrite/flags.html#flag_p RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P] This flaw is now public, and has been fixed in svn: http://svn.apache.org/viewvc?view=revision&revision=1179239 The full upstream advisory is as follows (noted because it contains mitigation information): Apache HTTP Server Security Advisory ==================================== Title: mod_proxy reverse proxy exposure CVE: CVE-2011-3368 Date: 20111005 Product: Apache HTTP Server Versions: httpd 1.3 all versions, httpd 2.x all versions Description: ============ An exposure was reported affecting the use of Apache HTTP Server in reverse proxy mode. We would like to thank Context Information Security Ltd for reporting this issue to us. When using the RewriteRule or ProxyPassMatch directives to configure a reverse proxy using a pattern match, it is possible to inadvertently expose internal servers to remote users who send carefully crafted requests. The server did not validate that the input to the pattern match was a valid path string, so a pattern could expand to an unintended target URL. For future releases of the Apache HTTP Server, the software will validate the request URI, correcting this specific vulnerability. The documentation has been updated to reflect the more general risks with pattern matching in a reverse proxy configuration. Details: ======== A configuration like one of the following examples: RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P] ProxyPassMatch (.*)\.(jpg|gif|png) http://images.example.com$1.$2 could result in an exposure of internal servers. A request of the form: GET @other.example.com/something.png HTTP/1.1 would get translated to a target of: http://images.example.com@other.example.com/something.png This will cause the proxy to connect to the hostname "other.example.com", as the "images.example.com@" segment would be treated as user credentials when parsing the URL. This would allow a remote attacker the ability to proxy to hosts other than those expected, which could be a security exposure in some circumstances. The request-URI string in this example, "@other.example.com/something.png", is not valid according to the HTTP specification, since it neither an absolute URI ("http://example.com/path") nor an absolute path ("/path"). For future releases, the server has been patched to reject such requests, instead returning a "400 Bad Request" error. Actions: ======== Apache HTTPD users should examine their configuration files to determine if they have used an insecure configuration for reverse proxying. Affected users can update their configuration, or apply the patch from: http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/ For example, the above RewriteRule could be changed to: RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P] to ensure the pattern only matches against paths with a leading "/". Created httpd tracking bugs for this issue Affects: fedora-all [bug 743653] (In reply to comment #1) > Part of the problem is that httpd documentation was giving a bad example, that > is probably going to get corrected in future upstream releases: > > http://httpd.apache.org/docs/2.2/rewrite/flags.html#flag_p > RewriteRule (.*)\.(jpg|gif|png) http://images.example.com$1.$2 [P] The example was changed to: RewriteRule /(.*)\.(jpg|gif|png) http://images.example.com/$1.$2 [P] via: http://svn.apache.org/viewvc?view=revision&revision=1179283 External References: http://www.contextis.com/research/blog/reverseproxybypass/ Acknowledgement: Red Hat would like to thank Context Information Security for reporting this issue. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 4 Via RHSA-2011:1392 https://rhn.redhat.com/errata/RHSA-2011-1392.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1391 https://rhn.redhat.com/errata/RHSA-2011-1391.html The upstream fix for this issue is here: http://svn.apache.org/viewvc?view=revision&revision=1179239 However that fix is insufficient as it does not handle HTTP 0.9 style requests (as noted via https://bugzilla.novell.com/show_bug.cgi?id=722545#c15). The additional fix to handle HTTP 0.9 requests is here: http://svn.apache.org/viewvc?view=revision&revision=1188745 Sorry, I didn't realize we had already filed a bug for the incomplete fix (bug #752080). This issue has been addressed in following products: JBoss Enterprise Web Server 1.0.2 Via RHSA-2012:0543 https://rhn.redhat.com/errata/RHSA-2012-0543.html This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0542 https://rhn.redhat.com/errata/RHSA-2012-0542.html |