In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
External References: https://httpd.apache.org/security/vulnerabilities_24.html http://www.apache.org/dist/httpd/CHANGES_2.4
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1695046]
Upstream patch: http://svn.apache.org/viewvc?view=revision&revision=1855298
Analysis: This issue only affected Digest authentication configurations. If the attacker is able to win the race condition, it is possible that with valid credentials of one user, the attacker can login as some other user (without knowing the credentials for that user). Also only threaded MPM configurations are affected. Red Hat Enterprise Linux 7 and Red Hat Software Collections do not ship httpd package in threaded MPM configuration by default. Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact.
rhvm-appliance does not use Digest authentication, thus marking it notaffected.
Statement: Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Mitigation: This flaw only affects a threaded server configuration, so using the prefork MPM is an effective mitigation. In versions of httpd package shipped with Red Hat Enterprise Linux 7, the prefork MPM is the default configuration.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2343 https://access.redhat.com/errata/RHSA-2019:2343
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-0217
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3436 https://access.redhat.com/errata/RHSA-2019:3436
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:4126 https://access.redhat.com/errata/RHSA-2019:4126