Bug 850776 (CVE-2012-3502)

Summary: CVE-2012-3502 httpd (mod_proxy_ajp, mod_proxy_http): Information disclosure due improper management of back end server connection close within error handling
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkaluza, jorton, pahan, pcheung
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.4.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-23 10:39:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 850799    

Description Jan Lieskovsky 2012-08-22 12:06:50 UTC 
An information disclosure flaw was found in the way mod_proxy_ajp (AJP routines module for Apache proxy) and mod_proxy_http (HTTP routines module for Apache proxy) of httpd, the Apache HTTP server, performed management of connections to the back end server. When an error occurred, relevant connection to the back end server was not closed properly as expected. A remote attacker could issue a specially-crafted mod_proxy_ajp / mod_proxy_http request that, when processed could lead to information disclosure.

Upstream bug report:
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=53727

Relevant upstream patch:
[2] http://svn.apache.org/viewvc?view=revision&revision=1374297

Upstream security page (covering also this issue):
[3] http://httpd.apache.org/security/vulnerabilities_24.html

References:
[4] http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%3C0BFFEA9B-801B-4BAA-9534-56F640268E30@apache.org%3E
[5] http://www.apache.org/dist/httpd/CHANGES_2.4.3
Comment 2 Jan Lieskovsky 2012-08-22 12:53:05 UTC 
Reproducer from upstream bug (untested):

1. Create a simple web app and serve it with ajp
2. In the web app, create a normal page (with .js, .css, and images), then craft a slow page that only returns a response after 1 second
3. Setup a reversed proxy to the web app with mod_proxy_ajp (a plain ProxyPass line)
4. Enable mod_deflate for the usual content types
5. Open Firefox, go to about:config, and set network.http.accept-encoding from "gzip, deflate" to an empty string
6. Restart Firefox, clear cache
7. With Firefox, access the normal page and let it load to completion, then access the slow page and press "Ctrl-W" to close the tab before the response is returned
8. Open Chrome, clear cache
9. With Chrome, access the normal page and see things go haywire, e.g. a request for a .js file will receive a response of image/png
Comment 5 Jan Lieskovsky 2012-08-23 10:24:49 UTC 
This issue did NOT affect the versions of the httpd package, as shipped with
Red Hat Enterprise Linux 5 and 6.

--

This issue did NOT affect the version of the httpd package, as shipped with
JBoss Enterprise Web Server 1.

--

This issue did NOT affect the version of the httpd package, as shipped with
JBoss Enterprise Application Platform 6 (re-bundled JBoss Enterprise Web Server 1 version is provided as part of JBEAP 6.0.0).

--

This issue did NOT affect the versions of the httpd package, as shipped with
Fedora release of 16 and 17.
Comment 6 Jan Lieskovsky 2012-08-23 10:38:00 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 4, 5, and 6, JBoss Enterprise Web Server 1, and JBoss Enterprise Application Server 6.
Comment 8 Jan Lieskovsky 2012-08-23 11:17:24 UTC 
The httpd 2.2.x versions are not affected by this issue because the 'close' member (flag handling the connection close) in the underlying 'proxy_conn_rec' structure is implemented as plain C integer yet, rather than a bitfield.