Bug 1243887 (CVE-2015-3183) - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser
Summary: CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request pa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3183
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150715,repor...
Depends On: 1243894 1249799 1249800 1249801 1249802 1249803 1249804 1257425 1257426 1257450 1257451
Blocks: 1243893 1286624 1290842
TreeView+ depends on / blocked
 
Reported: 2015-07-16 13:58 UTC by Vasyl Kaigorodov
Modified: 2019-09-12 08:38 UTC (History)
60 users (show)

Fixed In Version: httpd 2.2.31, httpd 2.4.16
Doc Type: Bug Fix
Doc Text:
Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.
Clone Of:
Environment:
Last Closed: 2017-03-10 12:51:48 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1666 normal SHIPPED_LIVE Moderate: httpd24-httpd security update 2015-08-24 19:56:41 UTC
Red Hat Product Errata RHSA-2015:1667 normal SHIPPED_LIVE Moderate: httpd security update 2015-08-24 22:25:52 UTC
Red Hat Product Errata RHSA-2015:1668 normal SHIPPED_LIVE Moderate: httpd security update 2015-08-24 19:37:28 UTC
Red Hat Product Errata RHSA-2015:2659 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.2 security update 2015-12-16 23:20:00 UTC
Red Hat Product Errata RHSA-2015:2660 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.2 security update 2015-12-16 23:19:47 UTC
Red Hat Product Errata RHSA-2015:2661 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.2 security update 2015-12-16 23:19:41 UTC
Red Hat Product Errata RHSA-2016:0061 normal SHIPPED_LIVE Moderate: httpd and httpd22 security update 2016-01-21 20:54:46 UTC
Red Hat Product Errata RHSA-2016:0062 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.1.0 security update 2018-02-15 23:12:52 UTC
Red Hat Product Errata RHSA-2016:2054 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.10 natives update on RHEL 7 2017-03-23 22:23:49 UTC
Red Hat Product Errata RHSA-2016:2055 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.10 natives update on RHEL 6 2017-02-21 05:08:14 UTC
Red Hat Product Errata RHSA-2016:2056 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.10 update 2016-10-12 20:57:34 UTC

Description Vasyl Kaigorodov 2015-07-16 13:58:48 UTC
Apache HTTP Server 2.4.16 release fixes the following issue:

  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
     core: Fix chunk header parsing defect.
     Remove apr_brigade_flatten(), buffering and duplicated code from
     the HTTP_IN filter, parse chunks in a single pass with zero copy.
     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
     authorized characters.  [Graham Leggett, Yann Ylavic]

External References:

http://www.apache.org/dist/httpd/CHANGES_2.4.16

Comment 1 Vasyl Kaigorodov 2015-07-16 14:09:11 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1243894]

Comment 2 Fedora Update System 2015-07-21 08:12:13 UTC
httpd-2.4.16-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Tomas Hoger 2015-07-29 14:00:38 UTC
This issue was actually fixed in version 2.4.14.  However, as versions 2.4.14 and 2.4.15 were not released, 2.4.16 is the first released upstream version that includes the fix.  This issue was also fixed in 2.2.31.

Upstream commits in 2.4.x and 2.2.x branches:

https://svn.apache.org/viewvc?view=revision&revision=1684515
https://svn.apache.org/viewvc?view=revision&revision=1687338

External References:

http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16
http://httpd.apache.org/security/vulnerabilities_22.html#2.2.31

Comment 4 Fedora Update System 2015-07-30 00:51:40 UTC
httpd-2.4.16-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Tomas Hoger 2015-07-30 20:18:53 UTC
Upstream patch is rather invasive and includes a rewrite of chunked encoding parsing that was applied to upstream trunk in 2013.  There are few changes that make parsing more strict, but it does not seem the specific attack vector that was reported upstream was made public.  These fixes, in general, apply to all httpd versions as shipped in currently supported Red Hat Enterprise Linux versions.

Assuming the httpd is used as the target host that serves malicious HTTP requests, disabling keep-alive (via KeepAlive Off configuration setting, which is used in the default configuration in Red Hat Enterprise Linux 6 and earlier) will prevent httpd from reading multiple requests from a single TCP connection, and should also prevent it from handling any request that was smuggled through the proxy in front of the httpd.

As disabling keep-alive may be undesired for performance reasons, alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding.  Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used.  The following mod_rewrite rule will reject requests with Transfer-Encoding: chunked HTTP header:

  RewriteEngine on
  RewriteCond %{HTTP:Transfer-Encoding} ^chunked$
  RewriteRule .* - [R=400]

This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later.  If deployed, administrators should monitor httpd logs for increase in the number requests ending with HTTP error code 400 (Bad Request), which may indicate clients actually trying to use chunked encoded requests.

Comment 9 errata-xmlrpc 2015-08-24 15:38:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:1668 https://rhn.redhat.com/errata/RHSA-2015-1668.html

Comment 10 errata-xmlrpc 2015-08-24 15:57:06 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1666 https://rhn.redhat.com/errata/RHSA-2015-1666.html

Comment 11 errata-xmlrpc 2015-08-24 18:26:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1667 https://rhn.redhat.com/errata/RHSA-2015-1667.html

Comment 14 Fabio Olive Leite 2015-12-03 20:32:40 UTC
Mitigation:

Disabling keep-alive (via the "KeepAlive Off" configuration setting, which is used in the default configuration in Red Hat Enterprise Linux 6 and earlier) will prevent httpd from reading multiple requests from a single TCP connection, and should also prevent it from handling any request that was smuggled through the proxy in front of the httpd.

As disabling keep-alive may be undesired for performance reasons, an alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding.  Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used.  The following mod_rewrite rule will reject requests with the "Transfer-Encoding: chunked" HTTP header:

  RewriteEngine on
  RewriteCond %{HTTP:Transfer-Encoding} ^chunked$
  RewriteRule .* - [R=400]

This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later.  If deployed, administrators should monitor httpd logs for an increase in the number of requests resulting in HTTP error code 400 (Bad Request), which may indicate legitimate clients actually trying to use chunked encoded requests.

Comment 15 errata-xmlrpc 2015-12-16 18:21:38 UTC
This issue has been addressed in the following products:

  JBoss Web Server 3.0.2

Via RHSA-2015:2661 https://rhn.redhat.com/errata/RHSA-2015-2661.html

Comment 16 errata-xmlrpc 2015-12-16 18:22:18 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2015:2660 https://access.redhat.com/errata/RHSA-2015:2660

Comment 17 errata-xmlrpc 2015-12-16 18:23:01 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2015:2659 https://access.redhat.com/errata/RHSA-2015:2659

Comment 18 errata-xmlrpc 2016-01-21 15:57:49 UTC
This issue has been addressed in the following products:

  JBoss Web Server 2.1.0

Via RHSA-2016:0062 https://rhn.redhat.com/errata/RHSA-2016-0062.html

Comment 19 errata-xmlrpc 2016-01-21 15:58:44 UTC
This issue has been addressed in the following products:

  JBEWS 2 for RHEL 7
  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 5

Via RHSA-2016:0061 https://rhn.redhat.com/errata/RHSA-2016-0061.html

Comment 20 errata-xmlrpc 2016-10-12 16:58:24 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4.10

Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html

Comment 21 errata-xmlrpc 2016-10-12 17:08:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html

Comment 22 errata-xmlrpc 2016-10-12 17:18:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html


Note You need to log in before you can comment on or make changes to this bug.