|Summary:||CVE-2012-0053 httpd: cookie exposure due to error responses|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||bmorriso, csutherl, davids, denis.kosierk, jawilson, jkaluza, jlieskov, john.willis, jorton, mjc, pahan, prc, rhui|
|Fixed In Version:||httpd 2.2.22||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-05-07 19:37:06 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||746695, 746696, 746697, 785070, 787596, 787597, 787598, 787599|
Description Vincent Danen 2012-01-27 06:27:17 UTC
A flaw was found in the default error response for status code 400. This could be used by an attacker to expose "httpOnly" cookies, when no custom ErrorDocument was specified. This affects all versions of Apache from 2.2.0 up to and including 2.2.21. It will be fixed upstream in 2.2.22 (via r1235454 ).  http://svn.apache.org/viewvc?view=revision&revision=1235454
Comment 1 Vincent Danen 2012-01-27 06:33:29 UTC
Created httpd tracking bugs for this issue Affects: fedora-all [bug 785070]
Comment 2 Kurt Seifried 2012-01-28 06:13:41 UTC
====================================================== Name: CVE-2012-0053 protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request (aka 400) error documents, which allows remote attackers to obtain the values of HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in conjunction with crafted web script.
Comment 4 Tomas Hoger 2012-01-29 14:52:53 UTC
Comment 5 Tomas Hoger 2012-02-01 08:20:33 UTC
Write up of the issue for the original reporter: http://fd.the-wildcat.de/apache_e36a9cf46c.php It confirms the analysis above (comment #4).
Comment 9 errata-xmlrpc 2012-02-13 20:34:32 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0128 https://rhn.redhat.com/errata/RHSA-2012-0128.html
Comment 10 Denis 2012-02-20 14:29:13 UTC
Is httpd-2.2.3-53 impacted by the issue httpd-2.2.3-53 ? (RHEL 5)
Comment 11 Jan Lieskovsky 2012-02-20 15:03:40 UTC
(In reply to comment #10) > Is httpd-2.2.3-53 impacted by the issue httpd-2.2.3-53 ? (RHEL 5) This issue affects the version of the httpd package, as shipped with Red Hat Enterprise Linux 5.
Comment 12 john.willis 2012-02-20 20:59:20 UTC
(In reply to comment #11) Can you clarify. Does this mean the issue has been resolved as of httpd-2.2.3-53 or that the issue has not been addressed. CVE Mitre currently is point at this bug track thread for updates and resolutions and has not marked it definitively resolved. Thanks
Comment 13 errata-xmlrpc 2012-02-21 21:58:20 UTC
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0323 https://rhn.redhat.com/errata/RHSA-2012-0323.html
Comment 14 Vincent Danen 2012-02-21 22:58:02 UTC
(In reply to comment #12) > (In reply to comment #11) > > Can you clarify. > > Does this mean the issue has been resolved as of httpd-2.2.3-53 or that the > issue has not been addressed. John, it has been resolved now via RHSA-2012:0323. Previously it was vulnerable.
Comment 15 bmorriso 2012-02-27 16:34:48 UTC
Hi, Any information on that status of the EWS fixes for this CVE?
Comment 17 Jan Lieskovsky 2012-03-07 15:50:42 UTC
(In reply to comment #15) > Hi, > > Any information on that status of the EWS fixes for this CVE? Hi Blair, We are working towards addressing of this issue in various versions of JBoss Enterprise Web Server too. But unfortunately as of right now we are unable to provide exact release date, when the updates can be expected (as the final date is subject of change depending on couple of internal conditions). Hope the above being sufficient and helpful. Apologize, but can't provide more exact information. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 19 Tomas Hoger 2012-03-09 15:28:25 UTC
Statement: This issue affects httpd packages as shipped with Red Hat Enterprise Linux 3 and 4, which are now in the Extended Life Phase of their life cycle. Therefore this issue is not planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/
Comment 24 Mark J. Cox 2012-04-05 08:45:37 UTC
Note that this issue does affect Apache 2.0 despite the Mitre CVE description. Verification: https://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?view=diff&r1=1237164&r2=1237165&pathrev=1237165
Comment 27 Coty Sutherland 2012-05-01 16:43:10 UTC
Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)?
Comment 28 Coty Sutherland 2012-05-01 16:47:20 UTC
Sorry, this isn't a tomcat issue, I meant to inquire about EWS 1.0.2's Apache (2.2.17)...
Comment 30 errata-xmlrpc 2012-05-07 18:51:14 UTC
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0.2 Via RHSA-2012:0543 https://rhn.redhat.com/errata/RHSA-2012-0543.html
Comment 31 errata-xmlrpc 2012-05-07 19:17:36 UTC
This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0542 https://rhn.redhat.com/errata/RHSA-2012-0542.html
Comment 32 Tomas Hoger 2012-07-27 07:15:59 UTC