Bug 2176209 (CVE-2023-25690) - CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy
Summary: CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-25690
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2176718 2176719 2176721 2176722 2177742 2177743 2177744 2177745 2177746 2177747 2177748 2177749 2177750 2177751 2177752 2177753
Blocks: 2176202
TreeView+ depends on / blocked
 
Reported: 2023-03-07 16:20 UTC by Mauro Matteo Cascella
Modified: 2023-06-05 18:21 UTC (History)
49 users (show)

Fixed In Version: httpd 2.4.56
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in httpd. This security issue occurs when some mod_proxy configurations on Apache HTTP Server allow an HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
Clone Of:
Environment:
Last Closed: 2023-06-05 18:21:13 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:1679 0 None None None 2023-04-10 08:16:12 UTC
Red Hat Product Errata RHBA-2023:1680 0 None None None 2023-04-10 10:58:23 UTC
Red Hat Product Errata RHBA-2023:1739 0 None None None 2023-04-12 13:03:39 UTC
Red Hat Product Errata RHBA-2023:1780 0 None None None 2023-04-13 18:05:32 UTC
Red Hat Product Errata RHBA-2023:1820 0 None None None 2023-04-18 10:35:42 UTC
Red Hat Product Errata RHBA-2023:3298 0 None None None 2023-05-24 17:03:42 UTC
Red Hat Product Errata RHSA-2023:1547 0 None None None 2023-04-03 15:58:38 UTC
Red Hat Product Errata RHSA-2023:1593 0 None None None 2023-04-04 09:48:49 UTC
Red Hat Product Errata RHSA-2023:1596 0 None None None 2023-04-04 09:48:53 UTC
Red Hat Product Errata RHSA-2023:1597 0 None None None 2023-04-04 09:49:13 UTC
Red Hat Product Errata RHSA-2023:1670 0 None None None 2023-04-06 14:45:00 UTC
Red Hat Product Errata RHSA-2023:1672 0 None None None 2023-04-06 16:10:41 UTC
Red Hat Product Errata RHSA-2023:1673 0 None None None 2023-04-06 16:12:47 UTC
Red Hat Product Errata RHSA-2023:1916 0 None None None 2023-04-20 13:45:21 UTC
Red Hat Product Errata RHSA-2023:3292 0 None None None 2023-05-24 08:56:13 UTC
Red Hat Product Errata RHSA-2023:3354 0 None None None 2023-06-05 11:51:11 UTC
Red Hat Product Errata RHSA-2023:3355 0 None None None 2023-06-05 11:47:22 UTC

Description Mauro Matteo Cascella 2023-03-07 16:20:35 UTC
Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
https://www.openwall.com/lists/oss-security/2023/03/07/1

Comment 2 Sandipan Roy 2023-03-09 04:15:24 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 2176718]

Comment 9 errata-xmlrpc 2023-04-03 15:58:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:1547 https://access.redhat.com/errata/RHSA-2023:1547

Comment 10 errata-xmlrpc 2023-04-04 09:48:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:1593 https://access.redhat.com/errata/RHSA-2023:1593

Comment 11 errata-xmlrpc 2023-04-04 09:48:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1596 https://access.redhat.com/errata/RHSA-2023:1596

Comment 12 errata-xmlrpc 2023-04-04 09:49:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1597 https://access.redhat.com/errata/RHSA-2023:1597

Comment 13 errata-xmlrpc 2023-04-06 14:44:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1670 https://access.redhat.com/errata/RHSA-2023:1670

Comment 14 errata-xmlrpc 2023-04-06 16:10:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1672 https://access.redhat.com/errata/RHSA-2023:1672

Comment 15 errata-xmlrpc 2023-04-06 16:12:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1673 https://access.redhat.com/errata/RHSA-2023:1673

Comment 16 Shabba 2023-04-06 17:54:13 UTC
While I can't see the bug due to it being restricted, the patch incorporated into the RHEL7 httpd (217742 - https://bugzilla.redhat.com/show_bug.cgi?id=2177742) has broken existing mod_rewrite behavior in RewriteRule, in a manner not related to mod_proxy or the CVE-2023-25690 issues, and in a manner not consistent with the upstream source (apache).  The SRPM change log notes:

* Tue Mar 21 2023 Luboš Uhliarik <luhliari> - 2.4.6-97.7
- Resolves: #2177742 - CVE-2023-25690 httpd: HTTP request splitting with
  mod_rewrite and mod_proxy 


The patch, with no attribution, adds both:

+    if (*(a2_end-1) == '?') {
+        /* a literal ? at the end of the unsubstituted rewrite rule */
+        newrule->flags |= RULEFLAG_QSNONE;
+    }
+    else if (newrule->flags & RULEFLAG_QSDISCARD) {
+        if (NULL == ap_strchr(newrule->output, '?')) {
+            newrule->flags |= RULEFLAG_QSNONE;
+        }
+    }

and

+    int qsappend = flags & RULEFLAG_QSAPPEND;
+    int qsdiscard = flags & RULEFLAG_QSDISCARD;
+
+    if (flags & RULEFLAG_QSNONE) {
+        rewritelog((r, 2, NULL, "discarding query string, no parse from substitution"));
+        r->args = NULL;
+        return;
+    }


Previously, a RewriteRule set as follows:

RewriteRule ^.*$ /path/endpoint.xyz? [QSA]

would result in the rewritten target receiving the original query string; i.e.:

1) ? causes the query string to be stripped
2) QSA causes the query string to be appended


With the change, QSNONE is being set, causing the QSA to not behave as described and intended, to not behave like it used to, and the query string is now being discarded.  This of course breaks any web application that has a rewriterule in place as described above.  There's no explanation of why Apache's own change for CVE-2023-25690, which solves the problem without breaking existing behavior, was not used instead.

For reference:

Patches:
upstream: https://github.com/apache/httpd/commit/8789f6bb926fa4c33b4231a8444340515c82bdff
upstream: https://github.com/apache/httpd/commit/8b93a6512f14f5f68887ddfe677e91233ed79fb0

Comment 17 Luboš Uhliarik 2023-04-10 17:59:12 UTC
Hello Shabba,

There is another upstream commit regarding this CVE[0] which is setting QSNONE flag in the same way as it is backported in RHEL-7. I will look at it ASAP tomorrow.

[0] https://svn.apache.org/viewvc?view=revision&revision=1908098

Comment 18 gabriele.gattari 2023-04-12 13:18:11 UTC
affects RHEL 8.7

Comment 19 Shabba 2023-04-13 17:34:12 UTC
Curious if any luck on consideration for the broken regression on the rewriterule behavior?  We had to downgrade ~1000 VM's to the RHEL7 .6 package to restore service to customers' websites that went down due to the rewrite rule behavior changing.  Fortunately not using proxying.  We're trying to avoid having to hand edit the htaccess files of every affected website given the rule, while obviously not logical stripping the string and adding it back, has worked in the RHEL httpd package all the way back to at least RHEL5 but probably mid 2000's.

Comment 20 Luboš Uhliarik 2023-04-13 23:02:51 UTC
(In reply to Shabba from comment #19)
> Curious if any luck on consideration for the broken regression on the
> rewriterule behavior?  We had to downgrade ~1000 VM's to the RHEL7 .6
> package to restore service to customers' websites that went down due to the
> rewrite rule behavior changing.  Fortunately not using proxying.  We're
> trying to avoid having to hand edit the htaccess files of every affected
> website given the rule, while obviously not logical stripping the string and
> adding it back, has worked in the RHEL httpd package all the way back to at
> least RHEL5 but probably mid 2000's.

Hello Shabba, 

Could you please file a ticket through the customer portal and describe what regression are you exactly experiencing?

Comment 21 christopher.greiner 2023-04-19 10:07:43 UTC
Hello,

Any news? We've been hit with this issue breaking our site and wondered when a fix might be pushed before we consider a rollback?

Thank you

Comment 22 Shabba 2023-04-19 13:15:32 UTC
The regression is as I described it in comment 16; not much more I can add than that.  Previously, in RHEL 7, 6, and at least 5, apache from source, and apache on other distributions that have been patched for the same CVE (e.g. Ubuntu 20LTS and 22LTS), the following RewriteRule directive allows the original query string to pass through to the rewritten target:

RewriteRule ^.*$ /path/endpoint.xyz? [QSA]

In RHEL 7's httpd package after this patch, the query string is discarded.  The reason it is discarded is because of new behavior, where the target terminated by a ? sets a flag which causes the code handling a QSA directive to not execute.

In a hosting shared environment where thousands of websites may have such a rewrite rule, the only option was to downgrade off this patch release, because it isn't feasible, or within terms of service, to alter a customer's content (htaccess files) with what we hope is a successful pattern replacement, but could take the site down if it doesn't work as intended.

Comment 23 Tom G. Christensen 2023-04-20 10:48:00 UTC
I just ran into a variant of this.

A simple rule on the form

RewriteRule /foo /bar? [R]

is now redirecting to /bar%3f

That is ? is being url-encoded and treated as part of the target url effectively breaking the redirect instead of signalling that no query string should be passed on as it's supposed to.

Downgrading to the previous version of the httpd package fixes the issue.

I see this on el7, el8 and el9.

Comment 24 errata-xmlrpc 2023-04-20 13:45:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1916 https://access.redhat.com/errata/RHSA-2023:1916

Comment 25 Shabba 2023-04-27 19:34:10 UTC
Given it's been several weeks now, is it safe to assume RedHat intends to keep this software regression in place?  So, everyone whose websites are broken under the new release, should assume all future httpd updates on RHEL 7, 8, 9 will continue to not permit the prior RHEL httpd, and still working native Apache, behavior?

Comment 26 Luboš Uhliarik 2023-04-27 21:01:11 UTC
Hello Shabba,

we are aware of the regression and I'm working on the fix (RHEL-7/8/9) altogether with BCTL|BNE flags backport (RHEL-8/9). The regression was unfortunately revealed by upstream after I created all builds and they have been shipped. 

See:

https://bugzilla.redhat.com/show_bug.cgi?id=2190143
https://bugzilla.redhat.com/show_bug.cgi?id=2189179

Comment 27 errata-xmlrpc 2023-05-24 08:56:10 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:3292 https://access.redhat.com/errata/RHSA-2023:3292

Comment 32 errata-xmlrpc 2023-06-05 11:47:19 UTC
This issue has been addressed in the following products:

  JBCS httpd 2.4.51.sp2

Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355

Comment 33 errata-xmlrpc 2023-06-05 11:51:07 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354

Comment 34 Product Security DevOps Team 2023-06-05 18:21:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-25690


Note You need to log in before you can comment on or make changes to this bug.