Red Hat Security Advisory: httpd security and bug fix update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2012:0542 Final 1 1 2012-05-07T18:09:00Z Current version 2012-05-07T18:09:00Z 2012-05-07T18:09:00Z Red Hat rhsa-to-cvrf 1.0.1478 2012-05-07T19:13:02Z Updated httpd packages that fix multiple security issues and one bug are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Apache HTTP Server ("httpd") is the namesake project of The Apache Software Foundation. It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. (CVE-2011-3368) It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed. (CVE-2011-3348) The httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies. (CVE-2012-0053) An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions. An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a ".htaccess" file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the "apache" user. (CVE-2011-3607) A NULL pointer dereference flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled, a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed Cookie header. (CVE-2012-0021) A flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown. (CVE-2012-0031) Red Hat would like to thank Context Information Security for reporting the CVE-2011-3368 issue. This update also fixes the following bug: * The fix for CVE-2011-3192 provided by the RHSA-2011:1329 update introduced a regression in the way httpd handled certain Range HTTP header values. This update corrects this regression. (BZ#749071) All users of JBoss Enterprise Web Server 1.0.2 should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, users must restart the httpd service for the update to take effect. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate https://rhn.redhat.com/errata/RHSA-2012-0542.html https://rhn.redhat.com/errata/RHSA-2012-0542.html https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/security/updates/classification/#moderate https://rhn.redhat.com/errata/RHSA-2011-1329.html https://rhn.redhat.com/errata/RHSA-2011-1329.html https://bugzilla.redhat.com/show_bug.cgi?id=749071 https://bugzilla.redhat.com/show_bug.cgi?id=749071 JBoss Enterprise Web Server 1.0 for RHEL 5 Server JBoss Enterprise Web Server 1.0 for RHEL 6 Server httpd-2.2.17-15.4.ep5.el5.src.rpm httpd-2.2.17-15.4.ep5.el6.src.rpm httpd-2.2.17-15.4.ep5.el5 as a component of JBoss Enterprise Web Server 1.0 for RHEL 5 Server httpd-2.2.17-15.4.ep5.el6 as a component of JBoss Enterprise Web Server 1.0 for RHEL 6 Server It was discovered that mod_proxy_ajp incorrectly returned an "Internal Server Error" response when processing certain malformed HTTP requests, which caused the back-end server to be marked as failed in configurations where mod_proxy was used in load balancer mode. A remote attacker could cause mod_proxy to not send requests to back-end AJP (Apache JServ Protocol) servers for the retry timeout period or until all back-end servers were marked as failed. 2011-09-08T00:00:00Z 2011-09-14T00:00:00Z CVE-2011-3348 5Server-JBEWS-5.0.0:httpd-2.2.17-15.4.ep5.el5 6Server-JBEWS-1:httpd-2.2.17-15.4.ep5.el6 Moderate 5.0 AV:N/AC:L/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-0542.html http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21 http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21 https://www.redhat.com/security/data/cve/CVE-2011-3348.html CVE-2011-3348 https://bugzilla.redhat.com/show_bug.cgi?id=736690 bz#736690: CVE-2011-3348 httpd: mod_proxy_ajp remote temporary DoS It was discovered that the Apache HTTP Server did not properly validate the request URI for proxied requests. In certain configurations, if a reverse proxy used the ProxyPassMatch directive, or if it used the RewriteRule directive with the proxy flag, a remote attacker could make the proxy connect to an arbitrary server, possibly disclosing sensitive information from internal web servers not directly accessible to the attacker. 2011-09-16T00:00:00Z 2011-10-05T00:00:00Z CVE-2011-3368 5Server-JBEWS-5.0.0:httpd-2.2.17-15.4.ep5.el5 6Server-JBEWS-1:httpd-2.2.17-15.4.ep5.el6 Moderate 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-0542.html http://www.contextis.com/research/blog/reverseproxybypass/ http://www.contextis.com/research/blog/reverseproxybypass/ https://www.redhat.com/security/data/cve/CVE-2011-3368.html CVE-2011-3368 https://bugzilla.redhat.com/show_bug.cgi?id=740045 bz#740045: CVE-2011-3368 httpd: reverse web proxy vulnerability Red Hat would like to thank Context Information Security for reporting this issue. An integer overflow flaw, leading to a heap-based buffer overflow, was found in the way httpd performed substitutions in regular expressions. An attacker able to set certain httpd settings, such as a user permitted to override the httpd configuration for a specific directory using a ".htaccess" file, could use this flaw to crash the httpd child process or, possibly, execute arbitrary code with the privileges of the "apache" user. 2011-11-02T00:00:00Z 2011-11-02T00:00:00Z CVE-2011-3607 5Server-JBEWS-5.0.0:httpd-2.2.17-15.4.ep5.el5 6Server-JBEWS-1:httpd-2.2.17-15.4.ep5.el6 Low 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-0542.html https://www.redhat.com/security/data/cve/CVE-2011-3607.html CVE-2011-3607 https://bugzilla.redhat.com/show_bug.cgi?id=769844 bz#769844: CVE-2011-3607 httpd: ap_pregsub Integer overflow to buffer overflow A NULL pointer dereference flaw was found in the httpd mod_log_config module. In configurations where cookie logging is enabled, a remote attacker could use this flaw to crash the httpd child process via an HTTP request with a malformed Cookie header. 2012-01-26T00:00:00Z 2011-11-28T00:00:00Z CVE-2012-0021 5Server-JBEWS-5.0.0:httpd-2.2.17-15.4.ep5.el5 6Server-JBEWS-1:httpd-2.2.17-15.4.ep5.el6 Low 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-0542.html https://www.redhat.com/security/data/cve/CVE-2012-0021.html CVE-2012-0021 https://bugzilla.redhat.com/show_bug.cgi?id=785065 bz#785065: CVE-2012-0021 httpd: NULL pointer dereference crash in mod_log_config A flaw was found in the way httpd handled child process status information. A malicious program running with httpd child process privileges (such as a PHP or CGI script) could use this flaw to cause the parent httpd process to crash during httpd service shutdown. 2012-01-12T00:00:00Z 2012-01-11T00:00:00Z CVE-2012-0031 5Server-JBEWS-5.0.0:httpd-2.2.17-15.4.ep5.el5 6Server-JBEWS-1:httpd-2.2.17-15.4.ep5.el6 Low 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-0542.html https://www.redhat.com/security/data/cve/CVE-2012-0031.html CVE-2012-0031 https://bugzilla.redhat.com/show_bug.cgi?id=773744 bz#773744: CVE-2012-0031 httpd: possible crash on shutdown due to flaw in scoreboard handling The httpd server included the full HTTP header line in the default error page generated when receiving an excessively long or malformed header. Malicious JavaScript running in the server's domain context could use this flaw to gain access to httpOnly cookies. 2012-01-26T00:00:00Z 2012-01-23T00:00:00Z CVE-2012-0053 5Server-JBEWS-5.0.0:httpd-2.2.17-15.4.ep5.el5 6Server-JBEWS-1:httpd-2.2.17-15.4.ep5.el6 Moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-0542.html https://www.redhat.com/security/data/cve/CVE-2012-0053.html CVE-2012-0053 https://bugzilla.redhat.com/show_bug.cgi?id=785069 bz#785069: CVE-2012-0053 httpd: cookie exposure due to error responses