CVE-2011-3368 Apache2 mod_proxy reverse proxy exposure

Bug #877740 reported by Michael Jeanson on 2011-10-18
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned
Hardy
Undecided
Steve Beattie
Lucid
Undecided
Steve Beattie
Maverick
Undecided
Steve Beattie
Natty
Undecided
Steve Beattie
Oneiric
Undecided
Steve Beattie

Bug Description

The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21 does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches for configuration of a reverse proxy, which allows remote attackers to send requests to intranet servers via a malformed URI containing an initial @ (at sign) character.

visibility: private → public
Steve Beattie (sbeattie) wrote :

This was fixed in precise in 2.2.21-2ubuntu1 (see bug 872000). Assigning the other releases to myself.

Changed in apache2 (Ubuntu):
status: New → Fix Released
Changed in apache2 (Ubuntu Hardy):
status: New → In Progress
Changed in apache2 (Ubuntu Lucid):
status: New → In Progress
Changed in apache2 (Ubuntu Maverick):
status: New → In Progress
Changed in apache2 (Ubuntu Natty):
status: New → In Progress
Changed in apache2 (Ubuntu Oneiric):
status: New → In Progress
Changed in apache2 (Ubuntu Hardy):
assignee: nobody → Steve Beattie (sbeattie)
Changed in apache2 (Ubuntu Lucid):
assignee: nobody → Steve Beattie (sbeattie)
Changed in apache2 (Ubuntu Maverick):
assignee: nobody → Steve Beattie (sbeattie)
Changed in apache2 (Ubuntu Natty):
assignee: nobody → Steve Beattie (sbeattie)
Changed in apache2 (Ubuntu Oneiric):
assignee: nobody → Steve Beattie (sbeattie)
Michael Jeanson (mjeanson) wrote :

I built a fixed package for hardy in my ppa (2.2.8-1ubuntu0.22~ppa1) and tested it in our environment, I confirm it fixes the exploit.

Michael Jeanson (mjeanson) wrote :

Debdiff for lucid, also available in my ppa.

Steve Beattie (sbeattie) wrote :

Thanks, Michael, I expect packages to go out in the next couple of days. FYI, the lucid debdiff you posted did not include an edit to debian/patches/00list, so I don't believe it's getting applied in your ppa build.

Michael Jeanson (mjeanson) wrote :

My bad, sorry if anyone tried this package, I had only tested on hardy. I uploaded a fixed package to my ppa.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.20-1ubuntu1.1

---------------
apache2 (2.2.20-1ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/214_CVE-2011-3192_regression.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option, along
      with a staged fix for the 2.2.22 release.
 -- Steve Beattie <email address hidden> Mon, 07 Nov 2011 14:01:10 -0800

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.17-1ubuntu1.4

---------------
apache2 (2.2.17-1ubuntu1.4) natty-security; urgency=low

  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * SECURITY UPDATE: mpm-itk failure to drop privileges in certain
    configurations
    - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
      configurations correctly
    - CVE-2011-1176
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/084_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option along
      with a fix staged for 2.2.22.
 -- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:21:04 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.16-1ubuntu3.4

---------------
apache2 (2.2.16-1ubuntu3.4) maverick-security; urgency=low

  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests. (patch courtesy of Michael Jeanson)
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
    - CVE-2011-3368
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * SECURITY UPDATE: mpm-itk failure to drop privileges in certain
    configurations
    - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
      configurations correctly
    - CVE-2011-1176
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/085_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option along
      with a fix staged for 2.2.22.
 -- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:23:07 -0700

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.2.14-5ubuntu8.7

---------------
apache2 (2.2.14-5ubuntu8.7) lucid-security; urgency=low

  [ Michael Jeanson ]
  * SECURITY UPDATE: mod_proxy reverse proxy exposure (LP: #877740)
    - debian/patches/212_CVE-2011-3368.dpatch: return 400
      on invalid requests.
    - debian/patches/214_CVE-2011-3368_part2.dpatch: fix same for http
      0.9 protocol
    - CVE-2011-3368

  [ Steve Beattie ]
  * SECURITY UPDATE: mod_proxy_ajp denial of service (LP: #871674)
    - debian/patches/213_CVE-2011-3348.dpatch: return
      HTTP_NOT_IMPLEMENTED when AJP_EBAD_METHOD is requested
    - CVE-2011-3348
  * SECURITY UPDATE: mpm-itk failure to drop privileges in certain
    configurations
    - debian/mpm-itk/patches/11-CVE-2011-1176.patch: merge
      configurations correctly
    - CVE-2011-1176
  * Include additional fixes for regressions introduced by
    CVE-2011-3192 fixes
    - debian/patches/215_CVE-2011-3192_regression_part2.dpatch:
      take upstream fixes for byterange_filter.c through the 2.2.21
      release except for the added MaxRanges configuration option along
      with a fix staged for 2.2.22.
 -- Steve Beattie <email address hidden> Wed, 02 Nov 2011 17:27:07 -0700

Changed in apache2 (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in apache2 (Ubuntu Maverick):
status: In Progress → Fix Released
Changed in apache2 (Ubuntu Natty):
status: In Progress → Fix Released
Changed in apache2 (Ubuntu Oneiric):
status: In Progress → Fix Released
Steve Beattie (sbeattie) wrote :

This was fixed for Ubuntu 8.04 LTS (hardy) in 2.2.8-1ubuntu0.22 as referred to in USN http://www.ubuntu.com/usn/usn-1259-1 ; closing.

Changed in apache2 (Ubuntu Hardy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers