Bug 1695020 (CVE-2019-0217) - CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condition
Summary: CVE-2019-0217 httpd: mod_auth_digest: access control bypass due to race condi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-0217
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Maryna Nalbandian
URL:
Whiteboard:
Depends On: 1695046 1696140 1696141 1696142
Blocks: 1694984
TreeView+ depends on / blocked
 
Reported: 2019-04-02 10:10 UTC by Dhananjay Arunesh
Modified: 2023-03-24 14:41 UTC (History)
31 users (show)

Fixed In Version: httpd 2.4.39
Doc Type: If docs needed, set a value
Doc Text:
A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Clone Of:
Environment:
Last Closed: 2019-08-06 19:20:51 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2343 0 None None None 2019-08-06 12:42:35 UTC
Red Hat Product Errata RHSA-2019:3436 0 None None None 2019-11-05 20:54:53 UTC
Red Hat Product Errata RHSA-2019:3932 0 None None None 2019-11-20 16:21:11 UTC
Red Hat Product Errata RHSA-2019:3933 0 None None None 2019-11-20 16:13:34 UTC
Red Hat Product Errata RHSA-2019:3935 0 None None None 2019-11-20 16:08:38 UTC
Red Hat Product Errata RHSA-2019:4126 0 None None None 2019-12-10 07:57:17 UTC

Description Dhananjay Arunesh 2019-04-02 10:10:17 UTC
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

Comment 3 Dhananjay Arunesh 2019-04-02 11:32:50 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1695046]

Comment 4 Huzaifa S. Sidhpurwala 2019-04-04 06:55:06 UTC
Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1855298

Comment 8 Huzaifa S. Sidhpurwala 2019-04-04 08:31:10 UTC
Analysis:

This issue only affected Digest authentication configurations. If the attacker is able to win the race condition, it is possible that with valid credentials of one user, the attacker can login as some other user (without knowing the credentials for that user). Also only threaded MPM configurations are affected.

Red Hat Enterprise Linux 7 and Red Hat Software Collections do not ship httpd package in threaded MPM configuration by default.

Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact.

Comment 12 Doran Moppert 2019-04-09 02:46:05 UTC
rhvm-appliance does not use Digest authentication, thus marking it notaffected.

Comment 15 Huzaifa S. Sidhpurwala 2019-05-15 09:41:31 UTC
Statement:

Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Comment 18 Huzaifa S. Sidhpurwala 2019-05-22 05:58:47 UTC
Mitigation:

This flaw only affects a threaded server configuration, so using the prefork MPM is an effective mitigation.  In versions of httpd package shipped with Red Hat Enterprise Linux 7, the prefork MPM is the default configuration.

Comment 19 errata-xmlrpc 2019-08-06 12:42:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2343 https://access.redhat.com/errata/RHSA-2019:2343

Comment 20 Product Security DevOps Team 2019-08-06 19:20:51 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-0217

Comment 22 errata-xmlrpc 2019-11-05 20:54:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3436 https://access.redhat.com/errata/RHSA-2019:3436

Comment 23 errata-xmlrpc 2019-11-20 16:08:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935

Comment 24 errata-xmlrpc 2019-11-20 16:13:32 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933

Comment 25 errata-xmlrpc 2019-11-20 16:21:10 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932

Comment 26 errata-xmlrpc 2019-12-10 07:57:15 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:4126 https://access.redhat.com/errata/RHSA-2019:4126


Note You need to log in before you can comment on or make changes to this bug.