Bug 850776 (CVE-2012-3502) - CVE-2012-3502 httpd (mod_proxy_ajp, mod_proxy_http): Information disclosure due improper management of back end server connection close within error handling
Summary: CVE-2012-3502 httpd (mod_proxy_ajp, mod_proxy_http): Information disclosure d...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2012-3502
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 850799
TreeView+ depends on / blocked
 
Reported: 2012-08-22 12:06 UTC by Jan Lieskovsky
Modified: 2021-02-23 14:03 UTC (History)
4 users (show)

Fixed In Version: httpd 2.4.3
Clone Of:
Environment:
Last Closed: 2012-08-23 10:39:01 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2012-08-22 12:06:50 UTC 
An information disclosure flaw was found in the way mod_proxy_ajp (AJP routines module for Apache proxy) and mod_proxy_http (HTTP routines module for Apache proxy) of httpd, the Apache HTTP server, performed management of connections to the back end server. When an error occurred, relevant connection to the back end server was not closed properly as expected. A remote attacker could issue a specially-crafted mod_proxy_ajp / mod_proxy_http request that, when processed could lead to information disclosure.

Upstream bug report:
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=53727

Relevant upstream patch:
[2] http://svn.apache.org/viewvc?view=revision&revision=1374297

Upstream security page (covering also this issue):
[3] http://httpd.apache.org/security/vulnerabilities_24.html

References:
[4] http://mail-archives.apache.org/mod_mbox/www-announce/201208.mbox/%3C0BFFEA9B-801B-4BAA-9534-56F640268E30@apache.org%3E
[5] http://www.apache.org/dist/httpd/CHANGES_2.4.3
Comment 2 Jan Lieskovsky 2012-08-22 12:53:05 UTC 
Reproducer from upstream bug (untested):

1. Create a simple web app and serve it with ajp
2. In the web app, create a normal page (with .js, .css, and images), then craft a slow page that only returns a response after 1 second
3. Setup a reversed proxy to the web app with mod_proxy_ajp (a plain ProxyPass line)
4. Enable mod_deflate for the usual content types
5. Open Firefox, go to about:config, and set network.http.accept-encoding from "gzip, deflate" to an empty string
6. Restart Firefox, clear cache
7. With Firefox, access the normal page and let it load to completion, then access the slow page and press "Ctrl-W" to close the tab before the response is returned
8. Open Chrome, clear cache
9. With Chrome, access the normal page and see things go haywire, e.g. a request for a .js file will receive a response of image/png
Comment 5 Jan Lieskovsky 2012-08-23 10:24:49 UTC 
This issue did NOT affect the versions of the httpd package, as shipped with
Red Hat Enterprise Linux 5 and 6.

--

This issue did NOT affect the version of the httpd package, as shipped with
JBoss Enterprise Web Server 1.

--

This issue did NOT affect the version of the httpd package, as shipped with
JBoss Enterprise Application Platform 6 (re-bundled JBoss Enterprise Web Server 1 version is provided as part of JBEAP 6.0.0).

--

This issue did NOT affect the versions of the httpd package, as shipped with
Fedora release of 16 and 17.
Comment 6 Jan Lieskovsky 2012-08-23 10:38:00 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of httpd as shipped with Red Hat Enterprise Linux 4, 5, and 6, JBoss Enterprise Web Server 1, and JBoss Enterprise Application Server 6.
Comment 8 Jan Lieskovsky 2012-08-23 11:17:24 UTC 
The httpd 2.2.x versions are not affected by this issue because the 'close' member (flag handling the connection close) in the underlying 'proxy_conn_rec' structure is implemented as plain C integer yet, rather than a bitfield.
Note You need to log in before you can comment on or make changes to this bug.