Bug 1695025 (CVE-2019-0215) - CVE-2019-0215 httpd: mod_ssl: access control bypass when using per-location client certification authentication
Summary: CVE-2019-0215 httpd: mod_ssl: access control bypass when using per-location c...
Alias: CVE-2019-0215
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1695046 1696090 1696091
Blocks: 1694984
TreeView+ depends on / blocked
Reported: 2019-04-02 10:17 UTC by Dhananjay Arunesh
Modified: 2019-09-29 15:10 UTC (History)
29 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:52:52 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0980 None None None 2019-05-07 04:19:51 UTC

Description Dhananjay Arunesh 2019-04-02 10:17:57 UTC
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.

Comment 3 Dhananjay Arunesh 2019-04-02 11:33:04 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1695046]

Comment 5 Huzaifa S. Sidhpurwala 2019-04-04 07:04:05 UTC
Patch is at: https://svn.apache.org/viewvc?view=revision&revision=1855917

Comment 8 Huzaifa S. Sidhpurwala 2019-04-15 05:31:14 UTC

This flaw can be exploited for httpd configurations where per-location client certificates are enabled and TLS 1.3 is used. 

The attacker can remotely exploit this httpd flaw (AV:N).  However the server had to be configured to use per-location client certificate and the attacker needs to have access to the authenticating client certificate (AC:H). No other significant privileges are required by the attacker (PR:L). The result of the attack is bypass of the configured access control restrictions (CI:H). This however does not affect the system beyond the web server itself (S:U).

Comment 9 errata-xmlrpc 2019-05-07 04:19:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:0980 https://access.redhat.com/errata/RHSA-2019:0980

Note You need to log in before you can comment on or make changes to this bug.