Bug 850776 - (CVE-2012-3502) CVE-2012-3502 httpd (mod_proxy_ajp, mod_proxy_http): Information disclosure due improper management of back end server connection close within error handling
CVE-2012-3502 httpd (mod_proxy_ajp, mod_proxy_http): Information disclosure d...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120816,reported=2...
: Security
Depends On:
Blocks: 850799
  Show dependency treegraph
 
Reported: 2012-08-22 08:06 EDT by Jan Lieskovsky
Modified: 2012-09-07 06:22 EDT (History)
4 users (show)

See Also:
Fixed In Version: httpd 2.4.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-23 06:39:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-08-22 08:06:50 EDT
An information disclosure flaw was found in the way mod_proxy_ajp (AJP routines module for Apache proxy) and mod_proxy_http (HTTP routines module for Apache proxy) of httpd, the Apache HTTP server, performed management of connections to the back end server. When an error occurred, relevant connection to the back end server was not closed properly as expected. A remote attacker could issue a specially-crafted mod_proxy_ajp / mod_proxy_http request that, when processed could lead to information disclosure.

Upstream bug report:
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=53727

Relevant upstream patch:
[2] http://svn.apache.org/viewvc?view=revision&revision=1374297

Upstream security page (covering also this issue):
[3] http://httpd.apache.org/security/vulnerabilities_24.html

References:
[4] http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%3C0BFFEA9B-801B-4BAA-9534-56F640268E30@apache.org%3E
[5] http://www.apache.org/dist/httpd/CHANGES_2.4.3
Comment 2 Jan Lieskovsky 2012-08-22 08:53:05 EDT
Reproducer from upstream bug (untested):

1. Create a simple web app and serve it with ajp
2. In the web app, create a normal page (with .js, .css, and images), then craft a slow page that only returns a response after 1 second
3. Setup a reversed proxy to the web app with mod_proxy_ajp (a plain ProxyPass line)
4. Enable mod_deflate for the usual content types
5. Open Firefox, go to about:config, and set network.http.accept-encoding from "gzip, deflate" to an empty string
6. Restart Firefox, clear cache
7. With Firefox, access the normal page and let it load to completion, then access the slow page and press "Ctrl-W" to close the tab before the response is returned
8. Open Chrome, clear cache
9. With Chrome, access the normal page and see things go haywire, e.g. a request for a .js file will receive a response of image/png
Comment 5 Jan Lieskovsky 2012-08-23 06:24:49 EDT
This issue did NOT affect the versions of the httpd package, as shipped with
Red Hat Enterprise Linux 5 and 6.

--

This issue did NOT affect the version of the httpd package, as shipped with
JBoss Enterprise Web Server 1.

--

This issue did NOT affect the version of the httpd package, as shipped with
JBoss Enterprise Application Platform 6 (re-bundled JBoss Enterprise Web Server 1 version is provided as part of JBEAP 6.0.0).

--

This issue did NOT affect the versions of the httpd package, as shipped with
Fedora release of 16 and 17.
Comment 6 Jan Lieskovsky 2012-08-23 06:38:00 EDT
Statement:

Not vulnerable. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 4, 5, and 6, JBoss Enterprise Web Server 1, and JBoss Enterprise Application Server 6.
Comment 8 Jan Lieskovsky 2012-08-23 07:17:24 EDT
The httpd 2.2.x versions are not affected by this issue because the 'close' member (flag handling the connection close) in the underlying 'proxy_conn_rec' structure is implemented as plain C integer yet, rather than a bitfield.

Note You need to log in before you can comment on or make changes to this bug.