Bug 2273491 (CVE-2023-38709) - CVE-2023-38709 httpd: HTTP response splitting
Summary: CVE-2023-38709 httpd: HTTP response splitting
Keywords:
Status: NEW
Alias: CVE-2023-38709
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2273492 2273493 2273494 2273495 2273496
Blocks: 2273504
TreeView+ depends on / blocked
 
Reported: 2024-04-04 18:52 UTC by Pedro Sampaio
Modified: 2024-09-24 11:48 UTC (History)
60 users (show)

Fixed In Version: httpd 2.4.59
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in httpd. The response headers are not sanitized before an HTTP response is sent when a malicious backend can insert a Content-Type, Content-Encoding, or some other headers, resulting in an HTTP response splitting.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)
POC to demonstrate CVE-2023-38709 vulnerability (1.96 KB, text/plain)
2024-08-09 00:07 UTC, szhong
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:4530 0 None None None 2024-07-15 01:12:21 UTC
Red Hat Product Errata RHSA-2024:4197 0 None None None 2024-07-01 08:04:37 UTC
Red Hat Product Errata RHSA-2024:6927 0 None None None 2024-09-24 11:43:37 UTC
Red Hat Product Errata RHSA-2024:6928 0 None None None 2024-09-24 11:48:32 UTC

Description Pedro Sampaio 2024-04-04 18:52:16 UTC
Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.

References:

https://httpd.apache.org/security/vulnerabilities_24.html
https://svn.apache.org/viewvc?view=revision&revision=1916770

Comment 1 Pedro Sampaio 2024-04-04 18:53:21 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 2273492]

Comment 5 errata-xmlrpc 2024-07-01 08:04:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4197 https://access.redhat.com/errata/RHSA-2024:4197

Comment 6 athreadgill 2024-07-03 19:54:38 UTC
When applying the patch for this issue it seems to entirely rewrite the /var/www/html folder and deletes its content using the below: 
2.4.37-65.module+el8.10.0+21982+14717793

Comment 7 Bram Mertens 2024-07-05 09:16:38 UTC
(In reply to athreadgill from comment #6)
> When applying the patch for this issue it seems to entirely rewrite the
> /var/www/html folder and deletes its content using the below: 
> 2.4.37-65.module+el8.10.0+21982+14717793

I'm unable to reproduce this. The scripts included in the httpd package do not touch /var/www/html.
If you are able to reproduce this I recommend opening a support case ideally with an sos report of the situation before and after the update.

Comment 11 szhong 2024-08-09 00:07:05 UTC
Created attachment 2043759 [details]
POC to demonstrate CVE-2023-38709 vulnerability

I have a POC that demonstrate the patch for Red Hat 8 did not resolve the vulnerability. Steps to reproduce:

1. compile
$ sudo apxs -i -a -c mod_example.c

2. modify /etc/httpd/conf/httpd.conf by adding the following

AddHandler example-handler .sum

3. start httpd

sudo httpd

4. run curl

$ curl -H 'Cookie: abc\r\nContent-Length: 8\r\n<p>a</p>' -IL 'http://localhost/a.sum'
HTTP/1.1 200 OK
Date: Fri, 09 Aug 2024 00:03:43 GMT
Server: Apache/2.4.37 (Rocky Linux)
Content-Length: 18
Content-Type: text/html
Cookie: abc\r\nContent-Length: 8\r\n<p>a</p>; charset=UTF-8

5. Expected behavior

$ curl -H 'Cookie: abc\r\nContent-Length: 8\r\n<p>a</p>' -IL 'http://localhost/a.sum'
HTTP/1.1 500 Internal Server Error
Date: Tue, 06 Aug 2024 20:31:00 GMT
Server: Apache/2.5.1-dev (Unix)
Content-Type: text/html; charset=iso-8859-1
Connection: close

Comment 12 errata-xmlrpc 2024-09-24 11:43:32 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2024:6927 https://access.redhat.com/errata/RHSA-2024:6927

Comment 13 errata-xmlrpc 2024-09-24 11:48:28 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:6928 https://access.redhat.com/errata/RHSA-2024:6928


Note You need to log in before you can comment on or make changes to this bug.