Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1142573 - (CVE-2014-3616) CVE-2014-3616 nginx: virtual host confusion
CVE-2014-3616 nginx: virtual host confusion
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140806,repor...
: Security
Depends On: 1142575 1142576 1142661
Blocks: 1142578
  Show dependency treegraph
 
Reported: 2014-09-17 00:48 EDT by Murray McAllister
Modified: 2015-01-04 17:41 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-11-12 03:37:02 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Murray McAllister 2014-09-17 00:48:55 EDT 
Antoine Delignat-Lavaud and Karthikeyan Bhargavan discovered a virtual host confusion issue in nginx, allowing HTTPS connections for one origin to be redirected to the virtual host of a different origin. This leads to a variety of issues, such as cookie theft and session hijacking. It could be triggered from a cross-site scripting flaw, tricking a user into visiting a malicious URL, and so on.

The upstream changelog describes the issue as:

""
it was possible to reuse SSL sessions in unrelated contexts
if a shared SSL session cache or the same TLS session ticket key was
used for multiple "server" blocks
""

Full details and some mitigation strategies are available in their paper:

http://bh.ht.vc/vhost_confusion.pdf

It is reported that this issue affected nginx versions 0.5.6 to 1.7.4, and has been fixed in the 1.6.2 and 1.7.5 releases:

http://mailman.nginx.org/pipermail/nginx-announce/2014/000147.html

Upstream patch:

http://trac.nginx.org/nginx/changeset/5841/nginx

External References:

http://bh.ht.vc/vhost_confusion.pdf
Comment 1 Murray McAllister 2014-09-17 00:50:38 EDT 
Created nginx tracking bugs for this issue:

Affects: fedora-all [bug 1142575]
Affects: epel-all [bug 1142576]
Comment 5 Fedora Update System 2014-09-29 21:53:24 EDT 
nginx-1.6.2-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-10-10 11:59:39 EDT 
nginx-1.4.7-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-10-10 12:07:47 EDT 
nginx-1.4.7-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-10-23 12:06:40 EDT 
nginx-1.6.2-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Tomas Hoger 2014-11-06 03:56:47 EST 
This issue affected the nginx14-nginx packages as shipped in Red Hat Software Collections 1.  This collection was replaced by nginx16 collection in Red Hat Software Collections 1.2, which includes a fix for this issue.  The nginx14-nginx are no longer supported and will not be fixed.

https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/1/html/1.2_Release_Notes/chap-RHSCL.html#sect-RHSCL-Changes
https://access.redhat.com/documentation/en-US/Red_Hat_Software_Collections/1/html/1.2_Release_Notes/chap-Migration.html#sect-Migration-Migrate_nginx
Comment 11 Fedora Update System 2014-11-09 10:39:30 EST 
nginx-1.0.15-10.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.