The Apache HTTPD web server (from 2.4.18/r1715255 up to 2.4.23/r1750779) did not validate a X509 client certificate correctly when HTTP/2 is used to access a resource. As a result - a resource thought to be secure and requiring a valid client certificate - would be accessible without authentication provided that the mod_http2 was loaded, h2 or h2c activated, that that the browser used the HTTP/2 protocol and it would do more than one request over a given connection. A third party can gain access to resources on the web server without the requisite credentials. This can then lead to unauthorised disclosure of information. This issue has been fixed in version 2.4.23 (r1750779). As a temporary workaround - HTTP/2 can be disabled by changing the configuration by removing h2 and h2c from the Protocols line(s) in the configuration file. The resulting line should read: Protocols http/1.1
Acknowledgments: Name: Apache Software Foundation Upstream: Erki Aring (Liewenthal Electronics Ltd)
Public via: https://mail-archives.apache.org/mod_mbox/httpd-announce/201607.mbox/CVE-2016-4979-68283
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1353203]
Upstream commit: http://svn.apache.org/viewvc?view=revision&revision=1750779 External References: http://httpd.apache.org/security/vulnerabilities_24.html#2.4.23
This issue only affected systems with HTTP/2 protocol enabled. The support for HTTP/2 was only added in httpd version 2.4.18. Therefore, no version of Red Hat Enterprise Linux, Red Hat JBoss Web Server, or Red Hat JBoss Enterprise Application Platform currently include httpd version with HTTP/2 support, and hence were not affected by this issue. The httpd version in the httpd24 collection in Red Hat Software Collections includes support for HTTP/2 as of RHBA-2016:1154: https://rhn.redhat.com/errata/RHBA-2016-1154.html The HTTP/2 protocol remains disabled by default as its support in httpd is still considered experimental.
httpd-2.4.23-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
httpd-2.4.23-3.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1420 https://access.redhat.com/errata/RHSA-2016:1420