Red Hat Bugzilla – Bug 1243887
CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser
Last modified: 2017-03-10 07:51:48 EST
Apache HTTP Server 2.4.16 release fixes the following issue: *) SECURITY: CVE-2015-3183 (cve.mitre.org) core: Fix chunk header parsing defect. Remove apr_brigade_flatten(), buffering and duplicated code from the HTTP_IN filter, parse chunks in a single pass with zero copy. Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext authorized characters. [Graham Leggett, Yann Ylavic] External References: http://www.apache.org/dist/httpd/CHANGES_2.4.16
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1243894]
httpd-2.4.16-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
This issue was actually fixed in version 2.4.14. However, as versions 2.4.14 and 2.4.15 were not released, 2.4.16 is the first released upstream version that includes the fix. This issue was also fixed in 2.2.31. Upstream commits in 2.4.x and 2.2.x branches: https://svn.apache.org/viewvc?view=revision&revision=1684515 https://svn.apache.org/viewvc?view=revision&revision=1687338 External References: http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16 http://httpd.apache.org/security/vulnerabilities_22.html#2.2.31
httpd-2.4.16-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
Upstream patch is rather invasive and includes a rewrite of chunked encoding parsing that was applied to upstream trunk in 2013. There are few changes that make parsing more strict, but it does not seem the specific attack vector that was reported upstream was made public. These fixes, in general, apply to all httpd versions as shipped in currently supported Red Hat Enterprise Linux versions. Assuming the httpd is used as the target host that serves malicious HTTP requests, disabling keep-alive (via KeepAlive Off configuration setting, which is used in the default configuration in Red Hat Enterprise Linux 6 and earlier) will prevent httpd from reading multiple requests from a single TCP connection, and should also prevent it from handling any request that was smuggled through the proxy in front of the httpd. As disabling keep-alive may be undesired for performance reasons, alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding. Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used. The following mod_rewrite rule will reject requests with Transfer-Encoding: chunked HTTP header: RewriteEngine on RewriteCond %{HTTP:Transfer-Encoding} ^chunked$ RewriteRule .* - [R=400] This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later. If deployed, administrators should monitor httpd logs for increase in the number requests ending with HTTP error code 400 (Bad Request), which may indicate clients actually trying to use chunked encoded requests.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:1668 https://rhn.redhat.com/errata/RHSA-2015-1668.html
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS Via RHSA-2015:1666 https://rhn.redhat.com/errata/RHSA-2015-1666.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:1667 https://rhn.redhat.com/errata/RHSA-2015-1667.html
Mitigation: Disabling keep-alive (via the "KeepAlive Off" configuration setting, which is used in the default configuration in Red Hat Enterprise Linux 6 and earlier) will prevent httpd from reading multiple requests from a single TCP connection, and should also prevent it from handling any request that was smuggled through the proxy in front of the httpd. As disabling keep-alive may be undesired for performance reasons, an alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding. Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used. The following mod_rewrite rule will reject requests with the "Transfer-Encoding: chunked" HTTP header: RewriteEngine on RewriteCond %{HTTP:Transfer-Encoding} ^chunked$ RewriteRule .* - [R=400] This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later. If deployed, administrators should monitor httpd logs for an increase in the number of requests resulting in HTTP error code 400 (Bad Request), which may indicate legitimate clients actually trying to use chunked encoded requests.
This issue has been addressed in the following products: JBoss Web Server 3.0.2 Via RHSA-2015:2661 https://rhn.redhat.com/errata/RHSA-2015-2661.html
This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2015:2660 https://access.redhat.com/errata/RHSA-2015:2660
This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2015:2659 https://access.redhat.com/errata/RHSA-2015:2659
This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2016:0062 https://rhn.redhat.com/errata/RHSA-2016-0062.html
This issue has been addressed in the following products: JBEWS 2 for RHEL 7 JBEWS 2 for RHEL 6 JBEWS 2 for RHEL 5 Via RHSA-2016:0061 https://rhn.redhat.com/errata/RHSA-2016-0061.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4.10 Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html