Bug 1157281 (CVE-2014-8566) - CVE-2014-8566 mod_auth_mellon: remote memory disclosure flaw
Summary: CVE-2014-8566 mod_auth_mellon: remote memory disclosure flaw
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8566
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1157283 1157284
Blocks: 1157286
TreeView+ depends on / blocked
 
Reported: 2014-10-26 23:09 UTC by Murray McAllister
Modified: 2021-02-17 06:03 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An information disclosure flaw was found in mod_auth_mellon's session handling that could lead to session overlapping in memory. A remote attacker could potentially use this flaw to obtain data from another user's session.
Clone Of:
Environment:
Last Closed: 2014-11-05 13:13:54 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1803 0 normal SHIPPED_LIVE Important: mod_auth_mellon security update 2014-11-05 14:51:47 UTC

Description Murray McAllister 2014-10-26 23:09:54 UTC
mod_auth_mellon provides a SAML 2.0 authentication module for the Apache HTTP Server. A flaw was found that could result in sessions overlapping in memory. A remote attacker could use this flaw to leak memory that possibly contains sensitive information.

Comment 3 Simo Sorce 2014-10-27 12:55:01 UTC
Note that it is not totally clear to me that memory is disclosed remotely, it certainly is discolosed to local applications in apache variables.
However such a leak could result in disclosures if the right vartiables are affect, also segfaults have been reported, so perhaps even exploitable in some cases.

Comment 5 Murray McAllister 2014-10-28 05:57:34 UTC
Acknowledgements:

Red Hat would like to thank the mod_auth_mellon team for reporting this issue. Upstream acknowledges Matthew Slowe as the original reporter.

Comment 8 Simo Sorce 2014-11-03 14:14:37 UTC
Issue is public now:
https://postlister.uninett.no/sympa/arc/modmellon/2014-11/msg00000.html

Comment 9 Murray McAllister 2014-11-04 01:38:48 UTC
(In reply to Murray McAllister from comment #0)
> mod_auth_mellon provides a SAML 2.0 authentication module for the Apache
> HTTP Server. A flaw was found that could result in sessions overlapping in
> memory. A remote attacker could use this flaw to leak memory that possibly
> contains sensitive information.

Upstream describes this issue as:

It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)

Comment 10 Martin Prpič 2014-11-04 08:38:32 UTC
IssueDescription:

An information disclosure flaw was found in mod_auth_mellon's session handling that could lead to session overlapping in memory. A remote attacker could potentially use this flaw to obtain data from another user's session.

Comment 11 errata-xmlrpc 2014-11-05 09:52:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1803 https://rhn.redhat.com/errata/RHSA-2014-1803.html

Comment 12 Huzaifa S. Sidhpurwala 2014-11-05 13:13:54 UTC
Fedora 21 already ships mod_auth_mellon-0.9.1-1.fc21 and therefore is not affected by this issue.


Note You need to log in before you can comment on or make changes to this bug.