Bug 1243888 (CVE-2015-3185) - CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authenticated request in 2.4
Summary: CVE-2015-3185 httpd: ap_some_auth_required() does not properly indicate authe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3185
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150715,repor...
Depends On: 1243894 1249799 1249800 1249803 1249804 1265989
Blocks: 1243893 1395463 1490666
TreeView+ depends on / blocked
 
Reported: 2015-07-16 14:00 UTC by Vasyl Kaigorodov
Modified: 2019-09-12 08:38 UTC (History)
54 users (show)

Fixed In Version: httpd 2.4.16
Doc Type: Bug Fix
Doc Text:
It was discovered that in httpd 2.4, the internal API function ap_some_auth_required() could incorrectly indicate that a request was authenticated even when no authentication was used. An httpd module using this API function could consequently allow access that should have been denied.
Clone Of:
Environment:
Last Closed: 2017-03-10 12:52:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1666 normal SHIPPED_LIVE Moderate: httpd24-httpd security update 2015-08-24 19:56:41 UTC
Red Hat Product Errata RHSA-2015:1667 normal SHIPPED_LIVE Moderate: httpd security update 2015-08-24 22:25:52 UTC
Red Hat Product Errata RHSA-2016:2957 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release 2016-12-16 03:11:19 UTC
Red Hat Product Errata RHSA-2017:2708 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services security update 2017-09-13 20:37:52 UTC
Red Hat Product Errata RHSA-2017:2709 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services security update 2017-09-13 20:48:46 UTC
Red Hat Product Errata RHSA-2017:2710 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services security update 2017-09-13 20:49:04 UTC

Description Vasyl Kaigorodov 2015-07-16 14:00:55 UTC
Apache HTTP Server 2.4.16 release fixes the following issue:

  *) SECURITY: CVE-2015-3185 (cve.mitre.org)
     Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
     with new ap_some_authn_required and ap_force_authn hook.  [Ben Reser]

External References:

http://httpd.apache.org/security/vulnerabilities_24.html#2.4.16

Comment 1 Vasyl Kaigorodov 2015-07-16 14:09:31 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1243894]

Comment 2 Fedora Update System 2015-07-21 08:12:18 UTC
httpd-2.4.16-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Tomas Hoger 2015-07-29 13:39:08 UTC
This issue was actually fixed in version 2.4.14.  However, as versions 2.4.14 and 2.4.15 were not released, 2.4.16 is the first released upstream version that includes the fix.

Upstream commit:

https://svn.apache.org/viewvc?view=revision&revision=1684525

Upstream also notes that this issue is only relevant for httpd 2.4, which made it possible to define authorization requirements and not only authentication requirements using Require configuration directive.  Therefore, httpd modules that use ap_some_auth_required() may incorrectly assume some request required authentication while only some authorization rule was applied.

As httpd versions in Red Hat Enterprise Linux 6 and earlier are based on older upstream httpd version (2.2 or 2.0), the are not affected by this issue.

Comment 4 Fedora Update System 2015-07-30 00:51:45 UTC
httpd-2.4.16-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 errata-xmlrpc 2015-08-24 15:57:17 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS

Via RHSA-2015:1666 https://rhn.redhat.com/errata/RHSA-2015-1666.html

Comment 10 errata-xmlrpc 2015-08-24 18:26:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:1667 https://rhn.redhat.com/errata/RHSA-2015-1667.html

Comment 14 errata-xmlrpc 2016-12-15 22:14:42 UTC
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html

Comment 15 errata-xmlrpc 2017-09-13 16:38:11 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2017:2708 https://access.redhat.com/errata/RHSA-2017:2708

Comment 16 errata-xmlrpc 2017-09-13 16:49:49 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:2709 https://access.redhat.com/errata/RHSA-2017:2709

Comment 17 errata-xmlrpc 2017-09-13 16:50:51 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:2710 https://access.redhat.com/errata/RHSA-2017:2710


Note You need to log in before you can comment on or make changes to this bug.