Red Hat Bugzilla – Bug 1205138
CVE-2015-0248 subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers
Last modified: 2016-01-21 05:23:03 EST
Summary: ======== Subversion's mod_dav_svn and svnserve servers will trigger an assertion while processing some requests with special parameters, which are evaluated on the server side. Assertion will cause svnserve process or the process hosting mod_dav_svn module (Apache) to abort. This can lead to a DoS. There are no known instances of this problem being exploited in the wild, but an exploit has been tested. Details: ======== Subversion's http:// and svn:// protocol support includes certain request types with parameters, which are evaluated on the server side. As an example, sometimes clients need to trace the history of the object to its origin, while not knowing the exact value of the origin (revision number) prior to issuing the request. Certain parameter combinations can exploit this behavior and force a server into attempting an operation with invalid arguments. Subversion servers guard against these situations with assertion statements, and the default behavior for a failed assertion is to abort the current process. Severity: ========= CVSSv2 Base Score: 5.0 CVSSv2 Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P We consider this to be a medium risk vulnerability. Apache HTTPD servers with repositories that allow anonymous reads will be vulnerable without authentication. Many Apache servers will respawn the listener processes, but a determined attacker will be able to crash these processes as they appear, denying service to legitimate users. Servers using threaded MPMs will close the connection on other clients being served by the same process that services the request from the attacker. In either case there is an increased processing impact of restarting a process and the cost of per process caches being lost. Exploiting this behavior against svnserve does not require an attacker to authenticate. A remote attacker can cause svnserve process to terminate and thus deny service to users of the server. Unfortunately, no special configuration is required and all mod_dav_svn and svnserve servers are vulnerable. Recommendations: ================ No known workarounds are available. Acknowledgements: Red Hat would like to thank the Apache Software Foundation for reporting this issue. Upstream acknowledges Evgeny Kotkov of VisualSVN as the original reporter.
Created attachment 1005808 [details] Patch against 1.7.19
Created attachment 1005809 [details] Patch against 1.8.11
External References: https://subversion.apache.org/security/CVE-2015-0248-advisory.txt
Created subversion tracking bugs for this issue: Affects: fedora-all [bug 1207724]
subversion-1.8.13-7.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1633 https://rhn.redhat.com/errata/RHSA-2015-1633.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1742 https://rhn.redhat.com/errata/RHSA-2015-1742.html
Statement: Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.