1157281 – (CVE-2014-8566) CVE-2014-8566 mod_auth_mellon: remote memory disclosure flaw

Bug 1157281 (CVE-2014-8566) - CVE-2014-8566 mod_auth_mellon: remote memory disclosure flaw

Summary: CVE-2014-8566 mod_auth_mellon: remote memory disclosure flaw

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-8566
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Engineering1157283 Engineering1157284
Blocks:	Embargoed1157286
TreeView+	depends on / blocked

Reported:	2014-10-26 23:09 UTC by Murray McAllister
Modified:	2023-05-12 21:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	An information disclosure flaw was found in mod_auth_mellon's session handling that could lead to session overlapping in memory. A remote attacker could potentially use this flaw to obtain data from another user's session.
Clone Of:
Environment:
Last Closed:	2014-11-05 13:13:54 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1803	0	normal	SHIPPED_LIVE	Important: mod_auth_mellon security update	2014-11-05 14:51:47 UTC

Description Murray McAllister 2014-10-26 23:09:54 UTC

mod_auth_mellon provides a SAML 2.0 authentication module for the Apache HTTP Server. A flaw was found that could result in sessions overlapping in memory. A remote attacker could use this flaw to leak memory that possibly contains sensitive information.

Comment 3 Simo Sorce 2014-10-27 12:55:01 UTC

Note that it is not totally clear to me that memory is disclosed remotely, it certainly is discolosed to local applications in apache variables.
However such a leak could result in disclosures if the right vartiables are affect, also segfaults have been reported, so perhaps even exploitable in some cases.

Comment 5 Murray McAllister 2014-10-28 05:57:34 UTC

Acknowledgements:

Red Hat would like to thank the mod_auth_mellon team for reporting this issue. Upstream acknowledges Matthew Slowe as the original reporter.

Comment 8 Simo Sorce 2014-11-03 14:14:37 UTC

Issue is public now:
https://postlister.uninett.no/sympa/arc/modmellon/2014-11/msg00000.html

Comment 9 Murray McAllister 2014-11-04 01:38:48 UTC

(In reply to Murray McAllister from comment #0)
> mod_auth_mellon provides a SAML 2.0 authentication module for the Apache
> HTTP Server. A flaw was found that could result in sessions overlapping in
> memory. A remote attacker could use this flaw to leak memory that possibly
> contains sensitive information.

Upstream describes this issue as:

It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)

Comment 10 Martin Prpič 2014-11-04 08:38:32 UTC

IssueDescription:

An information disclosure flaw was found in mod_auth_mellon's session handling that could lead to session overlapping in memory. A remote attacker could potentially use this flaw to obtain data from another user's session.

Comment 11 errata-xmlrpc 2014-11-05 09:52:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1803 https://rhn.redhat.com/errata/RHSA-2014-1803.html

Comment 12 Huzaifa S. Sidhpurwala 2014-11-05 13:13:54 UTC

Fedora 21 already ships mod_auth_mellon-0.9.1-1.fc21 and therefore is not affected by this issue.

Note You need to log in before you can comment on or make changes to this bug.