Bug 785069 - (CVE-2012-0053) CVE-2012-0053 httpd: cookie exposure due to error responses
CVE-2012-0053 httpd: cookie exposure due to error responses
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120123,repor...
: Security
Depends On: 746695 746696 746697 785070 787596 787597 787598 787599
Blocks: 785071
  Show dependency treegraph
 
Reported: 2012-01-27 01:27 EST by Vincent Danen
Modified: 2015-11-24 09:47 EST (History)
13 users (show)

See Also:
Fixed In Version: httpd 2.2.22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-07 15:37:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2012-01-27 01:27:17 EST
A flaw was found in the default error response for status code 400.  This could be used by an attacker to expose "httpOnly" cookies, when no custom ErrorDocument was specified.

This affects all versions of Apache from 2.2.0 up to and including 2.2.21.  It will be fixed upstream in 2.2.22 (via r1235454 [1]).

[1] http://svn.apache.org/viewvc?view=revision&revision=1235454
Comment 1 Vincent Danen 2012-01-27 01:33:29 EST
Created httpd tracking bugs for this issue

Affects: fedora-all [bug 785070]
Comment 2 Kurt Seifried 2012-01-28 01:13:41 EST
======================================================
Name: CVE-2012-0053

protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not
properly restrict header information during construction of Bad
Request (aka 400) error documents, which allows remote attackers to
obtain the values of HTTPOnly cookies via vectors involving a (1) long
or (2) malformed header in conjunction with crafted web script.
Comment 4 Tomas Hoger 2012-01-29 09:52:53 EST
Upstream fix (linked in comment #0) changes the amount of information sent back to an HTTP client when httpd detects one of the following problems:

1) HTTP request header line is longer than configured LimitRequestFieldSize limit.  In this case, httpd adds the line (actually, a prefix of it read before reaching the limit) to its default 400 error page.

2) HTTP request header line is continuation of the previous line and both lines combined together exceed configured LimitRequestFieldSize limit.  In this case, httpd adds previous line to its default 400 error page.  Note: previous line here may refer to a concatenation of more than one line, if previous lines were continuations too.

3) HTTP request header line does not contain : , which is a separator between the header name and its value.

Case 1) is the one that can be used by malicious javascript to gain access to httpOnly cookies.  A script can set additional cookies to make Cookie: request header line length exceed LimitRequestFieldSize and read values of a httpOnly protected cookies from the httpd's error page.  This may allow a script injected via some XSS flaw to gain access to cookies it can not access directly.

Upstream fix ensures that error page only contains header name, or 80 character prefix of the header name, if the name exceeds that limit.
Comment 5 Tomas Hoger 2012-02-01 03:20:33 EST
Write up of the issue for the original reporter:
  http://fd.the-wildcat.de/apache_e36a9cf46c.php

It confirms the analysis above (comment #4).
Comment 9 errata-xmlrpc 2012-02-13 15:34:32 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0128 https://rhn.redhat.com/errata/RHSA-2012-0128.html
Comment 10 Denis 2012-02-20 09:29:13 EST
Is httpd-2.2.3-53  impacted by the issue httpd-2.2.3-53 ? (RHEL 5)
Comment 11 Jan Lieskovsky 2012-02-20 10:03:40 EST
(In reply to comment #10)
> Is httpd-2.2.3-53  impacted by the issue httpd-2.2.3-53 ? (RHEL 5)

This issue affects the version of the httpd package, as shipped with Red Hat Enterprise Linux 5.
Comment 12 john.willis 2012-02-20 15:59:20 EST
(In reply to comment #11)

Can you clarify.

Does this mean the issue has been resolved as of httpd-2.2.3-53 or that the issue has not been addressed.

CVE Mitre currently is point at this bug track thread for updates and resolutions and has not marked it definitively resolved.

Thanks
Comment 13 errata-xmlrpc 2012-02-21 16:58:20 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0323 https://rhn.redhat.com/errata/RHSA-2012-0323.html
Comment 14 Vincent Danen 2012-02-21 17:58:02 EST
(In reply to comment #12)
> (In reply to comment #11)
> 
> Can you clarify.
> 
> Does this mean the issue has been resolved as of httpd-2.2.3-53 or that the
> issue has not been addressed.

John, it has been resolved now via RHSA-2012:0323.  Previously it was vulnerable.
Comment 15 bmorriso 2012-02-27 11:34:48 EST
Hi,

Any information on that status of the EWS fixes for this CVE?
Comment 17 Jan Lieskovsky 2012-03-07 10:50:42 EST
(In reply to comment #15)
> Hi,
> 
> Any information on that status of the EWS fixes for this CVE?

Hi Blair, 

We are working towards addressing of this issue in various versions of JBoss Enterprise Web Server too. But unfortunately as of right now we are unable to provide exact release date, when the updates can be expected (as the final date is subject of change depending on couple of internal conditions).

Hope the above being sufficient and helpful. Apologize, but can't provide more exact information.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 19 Tomas Hoger 2012-03-09 10:28:25 EST
Statement:

This issue affects httpd packages as shipped with Red Hat Enterprise Linux 3 and 4, which are now in the Extended Life Phase of their life cycle. Therefore this issue is not planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/
Comment 24 Mark J. Cox (Product Security) 2012-04-05 04:45:37 EDT
Note that this issue does affect Apache 2.0 despite the Mitre CVE description.  Verification: https://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?view=diff&r1=1237164&r2=1237165&pathrev=1237165
Comment 27 Coty Sutherland 2012-05-01 12:43:10 EDT
Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)?
Comment 28 Coty Sutherland 2012-05-01 12:47:20 EDT
Sorry, this isn't a tomcat issue, I meant to inquire about EWS 1.0.2's Apache (2.2.17)...
Comment 30 errata-xmlrpc 2012-05-07 14:51:14 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0.2

Via RHSA-2012:0543 https://rhn.redhat.com/errata/RHSA-2012-0543.html
Comment 31 errata-xmlrpc 2012-05-07 15:17:36 EDT
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0542 https://rhn.redhat.com/errata/RHSA-2012-0542.html
Comment 32 Tomas Hoger 2012-07-27 03:15:59 EDT
Mitigation instructions:

As noted in the original reporter's advisory (see comment #5), this issue can be mitigated by using a custom ErrorDocument setting, such as:

  ErrorDocument 400 "Bad Request"

  http://httpd.apache.org/docs/2.2/mod/core.html#errordocument

It should be noted that ErrorDocument setting using path or external URL does not mitigate this issue.


It should also be noted that this is not an issue by itself.  This can only be exploited via some other cross-site scripting (XSS) flaw found in a web application running on the server and may allow injected JavaScript to gain access to HttpOnly cookies, if the application uses this protection for its cookies.

Note You need to log in before you can comment on or make changes to this bug.