1142573 – (CVE-2014-3616) CVE-2014-3616 nginx: virtual host confusion

Bug 1142573 (CVE-2014-3616) - CVE-2014-3616 nginx: virtual host confusion

Summary: CVE-2014-3616 nginx: virtual host confusion

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2014-3616
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1142575 1142576 1142661
Blocks:	1142578
TreeView+	depends on / blocked

Reported:	2014-09-17 04:48 UTC by Murray McAllister
Modified:	2021-02-17 06:12 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-11-12 08:37:02 UTC
Embargoed:

Attachments	(Terms of Use)

Description Murray McAllister 2014-09-17 04:48:55 UTC

Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered a virtual host confusion issue in nginx, allowing HTTPS connections for one origin to be redirected to the virtual host of a different origin. This leads to a variety of issues, such as cookie theft and session hijacking. It could be triggered from a cross-site scripting flaw, tricking a user into visiting a malicious URL, and so on.

The upstream changelog describes the issue as:

""
it was possible to reuse SSL sessions in unrelated contexts
if a shared SSL session cache or the same TLS session ticket key was
used for multiple "server" blocks
""

Full details and some mitigation strategies are available in their paper:

http://bh.ht.vc/vhost_confusion.pdf

It is reported that this issue affected nginx versions 0.5.6 to 1.7.4, and has been fixed in the 1.6.2 and 1.7.5 releases:

http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html

Upstream patch:

http://trac.nginx.org/nginx/changeset/5841/nginx

External References:

http://bh.ht.vc/vhost_confusion.pdf

Comment 1 Murray McAllister 2014-09-17 04:50:38 UTC

Created nginx tracking bugs for this issue:

Affects: fedora-all [bug 1142575]
Affects: epel-all [bug 1142576]

Comment 5 Fedora Update System 2014-09-30 01:53:24 UTC

nginx-1.6.2-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2014-10-10 15:59:39 UTC

nginx-1.4.7-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2014-10-10 16:07:47 UTC

nginx-1.4.7-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-10-23 16:06:40 UTC

nginx-1.6.2-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Tomas Hoger 2014-11-06 08:56:47 UTC

This issue affected the nginx14-nginx packages as shipped in Red Hat Software Collections 1.  This collection was replaced by nginx16 collection in Red Hat Software Collections 1.2, which includes a fix for this issue.  The nginx14-nginx are no longer supported and will not be fixed.

https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/1/html/1.2_Release_Notes/chap-RHSCL.html#sect-RHSCL-Changes
https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/1/html/1.2_Release_Notes/chap-Migration.html#sect-Migration-Migrate_nginx

Comment 11 Fedora Update System 2014-11-09 15:39:30 UTC

nginx-1.0.15-10.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.