Bug 850776 – CVE-2012-3502 httpd (mod_proxy_ajp, mod_proxy_http): Information disclosure due improper management of back end server connection close within error handling

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 850776 - (CVE-2012-3502) CVE-2012-3502 httpd (mod_proxy_ajp, mod_proxy_http): Information disclosure due improper management of back end server connection close within error handling

Summary:	CVE-2012-3502 httpd (mod_proxy_ajp, mod_proxy_http): Information disclosure d...

Status:	CLOSED NOTABUG

Aliases:	CVE-2012-3502

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20120816,reported=2...
Keywords:	Security

Depends On:
Blocks:	850799
	Show dependency tree / graph

Reported:	2012-08-22 08:06 EDT by Jan Lieskovsky
Modified:	2012-09-07 06:22 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	httpd 2.4.3
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-08-23 06:39:01 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Jan Lieskovsky 2012-08-22 08:06:50 EDT

An information disclosure flaw was found in the way mod_proxy_ajp (AJP routines module for Apache proxy) and mod_proxy_http (HTTP routines module for Apache proxy) of httpd, the Apache HTTP server, performed management of connections to the back end server. When an error occurred, relevant connection to the back end server was not closed properly as expected. A remote attacker could issue a specially-crafted mod_proxy_ajp / mod_proxy_http request that, when processed could lead to information disclosure.

Upstream bug report:
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=53727

Relevant upstream patch:
[2] http://svn.apache.org/viewvc?view=revision&revision=1374297

Upstream security page (covering also this issue):
[3] http://httpd.apache.org/security/vulnerabilities_24.html

References:
[4] http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%3C0BFFEA9B-801B-4BAA-9534-56F640268E30@apache.org%3E
[5] http://www.apache.org/dist/httpd/CHANGES_2.4.3

Comment 2 Jan Lieskovsky 2012-08-22 08:53:05 EDT

Reproducer from upstream bug (untested):

1. Create a simple web app and serve it with ajp
2. In the web app, create a normal page (with .js, .css, and images), then craft a slow page that only returns a response after 1 second
3. Setup a reversed proxy to the web app with mod_proxy_ajp (a plain ProxyPass line)
4. Enable mod_deflate for the usual content types
5. Open Firefox, go to about:config, and set network.http.accept-encoding from "gzip, deflate" to an empty string
6. Restart Firefox, clear cache
7. With Firefox, access the normal page and let it load to completion, then access the slow page and press "Ctrl-W" to close the tab before the response is returned
8. Open Chrome, clear cache
9. With Chrome, access the normal page and see things go haywire, e.g. a request for a .js file will receive a response of image/png

Comment 5 Jan Lieskovsky 2012-08-23 06:24:49 EDT

This issue did NOT affect the versions of the httpd package, as shipped with
Red Hat Enterprise Linux 5 and 6.

--

This issue did NOT affect the version of the httpd package, as shipped with
JBoss Enterprise Web Server 1.

--

This issue did NOT affect the version of the httpd package, as shipped with
JBoss Enterprise Application Platform 6 (re-bundled JBoss Enterprise Web Server 1 version is provided as part of JBEAP 6.0.0).

--

This issue did NOT affect the versions of the httpd package, as shipped with
Fedora release of 16 and 17.

Comment 6 Jan Lieskovsky 2012-08-23 06:38:00 EDT

Statement:

Not vulnerable. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 4, 5, and 6, JBoss Enterprise Web Server 1, and JBoss Enterprise Application Server 6.

Comment 8 Jan Lieskovsky 2012-08-23 07:17:24 EDT

The httpd 2.2.x versions are not affected by this issue because the 'close' member (flag handling the connection close) in the underlying 'proxy_conn_rec' structure is implemented as plain C integer yet, rather than a bitfield.

Note You need to log in before you can comment on or make changes to this bug.