Fix for CVE-2024-38474 also blocks %3f in appended query strings

Bug #2103723 reported by Christoph Herndler
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Confirmed
Undecided
Unassigned
Xenial
Fix Released
Undecided
Leonidas S. Barbosa
Bionic
Fix Released
Undecided
Leonidas S. Barbosa
Focal
Fix Released
Undecided
Leonidas S. Barbosa
Jammy
Fix Released
Undecided
Leonidas S. Barbosa
Noble
Fix Released
Undecided
Leonidas S. Barbosa
Oracular
Fix Released
Undecided
Leonidas S. Barbosa

Bug Description

The fix introduced in https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.19

" * SECURITY UPDATE: Substitution encoding issue in mod_rewrite
    - debian/patches/CVE-2024-38474_5.patch: tighten up prefix_stat and %3f
      handling in modules/mappers/mod_rewrite.c.
    - CVE-2024-38474
"

is causing issues by being not specific enough and blocking lots of requests not exposed to the cve.

It has already been fixed in apache2 2.4.63
https://bz.apache.org/bugzilla/show_bug.cgi?id=69197
"Bug 69197 - Fix for CVE-2024-38474 also blocks %3f in appended query strings"

Please port the changes to the detection code from mainline apache2.

Thank you

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

There were some releases after 2.4.41-4ubuntu3.19, but they don't seem to address this specific regression.

We have:

https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.20
  * SECURITY REGRESSION: regression when proxying http2 (LP: #2072648)
    - debian/patches/CVE-2024-38477-2.patch: restart from the original URL
      on reconnect in modules/http2/mod_proxy_http2.c.

https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.21
  * SECURITY UPDATE: source code disclosure with handlers configured via
    AddType
    - debian/patches/CVE-2024-40725.patch: copy the trusted flag from the
      subrequest in modules/http/http_request.c.
    - CVE-2024-40725

And this one is in focal-proposed:
https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.22
  * d/debhelper/apache2-maintscript-helper: Allow execution when called from a
    postinst script through a trigger (i.e., postinst triggered).
    Thanks to Roel van Meer. (LP: #2038912) (Closes: #1060450)

I checked the code in 2.4.41-4ubuntu3.22 and the patch[1] doesn't seem to be there indeed. I'll flag this bug here to the security team.
Note I couldn't get access to the svn commit, as it returned a 403[2]. Briefly checking the github mirror, it seems to be this commit[3].

1. https://bz.apache.org/bugzilla/attachment.cgi?id=39815&action=diff&collapsed=&headers=1&format=raw
2. https://svn.apache.org/viewvc?view=rev&rev=1919545
3. https://github.com/apache/httpd/commit/a0a68b99d131741c1867cff321424892838fc4b3

tags: added: regression-security
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hi security, this looks like a security regression in https://launchpad.net/ubuntu/+source/apache2/2.4.41-4ubuntu3.19. See previous comment where I tracked some things down.

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hi,

We are working in a fix based in that commit. Meanwhile, would mind to provide any ways to reproduce that issue, so we can check if the fix/patch properly fix it?

Thanks in advance!

Changed in apache2 (Ubuntu Focal):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Revision history for this message
Djordje Tasic (djolet) wrote :

Hi,

Here's an example on how to reproduce the issue

We have a folder "modules/" with the following .htaccess content:
##################
RewriteEngine on

# Module only
RewriteRule ^([-a-zA-Z0-9_]+)/?$ %/modules/index.php?module=$1&%{QUERY_STRING} [NC,L]
##################

Accessing the URL: myapp.local/modules/test_rewrite/?url=mysite.net%3fsearch=question%3f

results in a 403 Forbidden error and generates a log entry:

2025-04-03 12:12:44 [Thu Apr 03 10:12:44.688826 2025] [rewrite:error] [pid 828:tid 847] [client 172.18.0.6:57350] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F
2025-04-03 12:12:44 172.18.0.6 - - [03/Apr/2025:10:12:44 +0000] "GET /modules/test_rewrite/?url=mysite.net%3fsearch=question%3f HTTP/1.1" 403 199

Version used in the container:
$apachectl -V
Server version: Apache/2.4.62 (Unix)
Server built: Nov 12 2024 02:03:18
Server's Module Magic Number: 20120211:134
Server loaded: APR 1.7.2, APR-UTIL 1.6.3, PCRE 8.39 2016-06-14
Compiled using: APR 1.7.2, APR-UTIL 1.6.3, PCRE 8.39 2016-06-14

Hope it helps

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apache2 (Ubuntu Focal):
status: New → Confirmed
Changed in apache2 (Ubuntu):
status: New → Confirmed
Changed in apache2 (Ubuntu Jammy):
status: New → Confirmed
Changed in apache2 (Ubuntu Noble):
status: New → Confirmed
Changed in apache2 (Ubuntu Oracular):
status: New → Confirmed
Changed in apache2 (Ubuntu):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in apache2 (Ubuntu Xenial):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in apache2 (Ubuntu Bionic):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in apache2 (Ubuntu Jammy):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in apache2 (Ubuntu Noble):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in apache2 (Ubuntu Oracular):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in apache2 (Ubuntu Xenial):
status: New → In Progress
Changed in apache2 (Ubuntu Bionic):
status: New → In Progress
Changed in apache2 (Ubuntu Noble):
status: Confirmed → In Progress
Changed in apache2 (Ubuntu Oracular):
status: Confirmed → In Progress
Changed in apache2 (Ubuntu Focal):
status: Confirmed → In Progress
Changed in apache2 (Ubuntu Jammy):
status: Confirmed → In Progress
Changed in apache2 (Ubuntu):
assignee: Leonidas S. Barbosa (leosilvab) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.62-1ubuntu1.1

---------------
apache2 (2.4.62-1ubuntu1.1) oracular-security; urgency=medium

  * SECURITY REGRESSION: Better question mark tracking
    - debian/patches/CVE-2024-38474-regression.patch: improve
      previous patch allowing to avoid [UnsafeAllow3F] for most
      cases in modules/mappers/mod_rewrite.c (LP: #2103723).

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Apr 2025 06:16:23 -0300

Changed in apache2 (Ubuntu Oracular):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.52-1ubuntu4.14

---------------
apache2 (2.4.52-1ubuntu4.14) jammy-security; urgency=medium

  * SECURITY REGRESSION: Better question mark tracking
    - debian/patches/CVE-2024-38474-regression.patch: improve
      previous patch allowing to avoid [UnsafeAllow3F] for most
      cases in modules/mappers/mod_rewrite.c (LP: #2103723).

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Apr 2025 06:05:48 -0300

Changed in apache2 (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.41-4ubuntu3.23

---------------
apache2 (2.4.41-4ubuntu3.23) focal-security; urgency=medium

  * SECURITY REGRESSION: Better question mark tracking
    - debian/patches/CVE-2024-38474-regression.patch: improve
      previous patch allowing to avoid [UnsafeAllow3F] for most
      cases in modules/mappers/mod_rewrite.c (LP: #2103723).

 -- Leonidas Da Silva Barbosa <email address hidden> Wed, 02 Apr 2025 15:34:29 -0300

Changed in apache2 (Ubuntu Focal):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.58-1ubuntu8.6

---------------
apache2 (2.4.58-1ubuntu8.6) noble-security; urgency=medium

  * SECURITY REGRESSION: Better question mark tracking
    - debian/patches/CVE-2024-38474-regression.patch: improve
      previous patch allowing to avoid [UnsafeAllow3F] for most
      cases in modules/mappers/mod_rewrite.c (LP: #2103723).

 -- Leonidas Da Silva Barbosa <email address hidden> Thu, 03 Apr 2025 11:36:49 -0300

Changed in apache2 (Ubuntu Noble):
status: In Progress → Fix Released
Changed in apache2 (Ubuntu Xenial):
status: In Progress → Fix Released
Changed in apache2 (Ubuntu Bionic):
status: In Progress → Fix Released
Revision history for this message
Tom Andrew (tja523) wrote :

Hi,

It appears this patch has introduced a regression, whereby a `?` character introduced in a RewriteMap now (in 2.4.52-1ubuntu4.14) requires [UnsafeAllow3F] where it didn't previously. A minimal config to reproduce:

-----------------------
RewriteEngine On
RewriteRule ^/bob$ /jeremy?asd=asd [L,R]

RewriteMap redirects txt:maps/redirects.txt
RewriteRule ^(/fred)/?$ ${redirects:$1} [L,R]
-----------------------

With a map of:

-----------------------
/fred /jeremy?asd=asd
-----------------------

A request to /bob works as expected with a 302 redirect to /jeremy?asd=asd
A request to /fred does not work and instead returns a 403 with "Unsafe URL with %3f URL rewritten without UnsafeAllow3F" logged.

We have confirmed that in version 2.4.52-1ubuntu4.13 this was working as expected without the need for [UnsafeAllow3F].

I can file a new bug for this if required.

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hi,

Did you report it to upstream too? Maybe it is an issue about the fix itself.

Revision history for this message
Tom Andrew (tja523) wrote :

No, since it hasn't been verified whether upstream is affected.

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Hi,

I'm investigating the issue and tryng to find what pieces are missing between jammy and plucky that fix that issue.

So far, I could reproduce the issue with the config you pasted:

in Jammy:

[Tue Apr 22 11:10:18.009699 2025] [rewrite:error] [pid 9771] [client 127.0.0.1:56084] AH: Unsafe URL with %3f URL rewritten without UnsafeAllow3F
[Tue Apr 22 11:10:25.648474 2025] [rewrite:error] [pid 9772] [client 127.0.0.1:36442] AH: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

in Plucky:

127.0.0.1 - - [22/Apr/2025:07:47:57 -0300] "GET /fred HTTP/1.1" 403 491 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:137.0) Gecko/20100101 Firefox/137.0"

Revision history for this message
Tom Andrew (tja523) wrote :

Hi,

I may be misunderstanding your comment but I don't think it is fixed in Plucky - I've just tried and can reproduce with the same behaviour (using version 2.4.63-1ubuntu1).

In both Plucky and Jammy I get a 403 response, with the "AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F" error logged in the error.log - and from the looks of it I think that is probably what you were actually getting too.

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

 Hi,

Yep, i got the same in plucky after re-check my configs:

[Tue Apr 22 12:14:16.176186 2025] [rewrite:error] [pid 12244:tid 12244] [client 127.0.0.1:43612] AH10508: Unsafe URL with %3f URL rewritten without UnsafeAllow3F

Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

Since we could reproduce it in plucky that is version 2.4.63, same as upstream, do you mind to report this bug upstream: https://httpd.apache.org/bug_report.html

Thanks a lot for report it!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.