Bug 871685 (CVE-2012-4557)

Summary: CVE-2012-4557 httpd: mod_proxy_ajp worker moved to error state when timeout exceeded
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jkaluza, jlieskov, jorton, mjc, pahan, pcheung, webstack-team, williama_lovaton
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.2.22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-22 04:48:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 864317    
Bug Blocks: 855229, 871687    

Description David Jorm 2012-10-31 03:54:13 UTC 
When mod_proxy_ajp sends a request to a worker node and the time to process that request exceeds the configured timeout, the worker node will be marked as in the error state, stopping all traffic to the node until it is flagged as up again. A remote attacker could use this flaw to trigger a temporary denial of service attack, provided they were able to create a request that caused sufficient processing time to exceed the timeout threshold.
Comment 2 Tomas Hoger 2012-10-31 08:12:31 UTC 
References:

http://svn.apache.org/viewvc?view=revision&revision=1227298
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.22

According to upstream security page, this affected versions 2.2.12 - 2.2.21.
Comment 3 Jan Lieskovsky 2012-10-31 15:50:09 UTC 
This issue affected the version of the httpd package, as shipped with Red Hat Enterprise Linux 6.  The httpd version in Red Hat Enterprise Linux 5 was not affected.

--

This issue affected the version of the httpd package as shipped with JBoss Enterprise Web Server 1, but it was already corrected in version 1.0.2.

--

The httpd packages in current Fedora versions (F16 and F17) already contain fixed upstream version.
Comment 6 Jan Lieskovsky 2012-10-31 16:52:36 UTC 
Statement:

This issue did not affect the version of httpd as shipped with Red Hat Enterprise Linux 5.
Comment 7 David Jorm 2012-11-05 04:48:39 UTC 
This flaw was previously fixed in JBoss Enterprise Web Server (EWS) 1.0.2:

https://issues.jboss.org/browse/MODCLUSTER-226

The fix is incorporated via httpd-MODCLUSTER-226.patch.
Comment 9 Tomas Hoger 2012-11-07 09:48:15 UTC 
This issue is relevant when proxy_ajp is used with proxy balancer.  This may allow attacker able to trigger the timeout to cause balancer to treat backend servers as failed, causing it to stop forwarding requests to those servers until the recovery timeout elapses.  As a consequence, all traffic can be sent to a single backend, degrading performance of the load balanced web site.

If all backend servers are put into an error state, httpd version in Red Hat Enterprise Linux 6 will move one backend from the error state, so normal requests can still be served.

The balancer behavior in httpd version in Red Hat Enterprise Linux 5 is different.  Backend error states are cleared with each request to balancer.  Hence this bug has no security impact on Red Hat Enterprise Linux 5.
Comment 10 William Lovaton 2013-01-04 22:56:51 UTC 
Hi Tomas, would you think this could happen with mod_proxy_http too? I'm experiencing a similar problem you describe in comment 9 but I'm balancing through http not ajp.

It can take several days to appear, everything is working fine when all of a sudden the balancer-manager page shows that the workers lost the routes and apache is only using one of the backends, I tried to readjust the configuration directly in the page but it doesn't work, I have to make a full restart (graceful doesn't work either).
Comment 11 errata-xmlrpc 2013-02-21 10:10:47 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0512 https://rhn.redhat.com/errata/RHSA-2013-0512.html
Comment 13 Tomas Hoger 2013-02-25 10:22:06 UTC 
(In reply to comment #10)
> Hi Tomas, would you think this could happen with mod_proxy_http too? I'm
> experiencing a similar problem you describe in comment 9 but I'm balancing
> through http not ajp.

From a quick test and look at the mod_proxy_http code, I see that timeout of the http requests leads to the "Error reading from remote server" error being sent to the client, without putting backend server to an error state. This mod_proxy_ajp fix makes it behave the same way.

Additionally, this problem is not persistent and the error state is cleared rather shortly.  It requires attacker to keep sending timing out request to make most backends in error state.