Apache2 Balancer Manager mod_proxy_balancer not working after Update

Bug #1842701 reported by Horst Platz
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apache2 Web Server
Fix Released
Medium
apache2 (Debian)
Fix Released
Unknown
apache2 (Ubuntu)
Fix Released
Medium
Steve Beattie
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Disco
Fix Released
Undecided
Unassigned

Bug Description

OS

Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

I use this kind of configuration to reache the Balancer Manager.

 -------------
|Bastian Host |
|Apache Proxy | -----------> LB Apache Balancer Manger
 -------------

After Apache Update

from: 2.4.29-1ubuntu4.8
to: 2.4.29-1ubuntu4.10

The Balancer Manager behind a Proxy is not Working and i think this is comming with
the fix CVE-2019-10092

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-10092
http://changelogs.ubuntu.com/changelogs/pool/main/a/apache2/apache2_2.4.29-1ubuntu4.10/changelog

I strip down the configuration to try and explain the situation.

Install new Ubuntu 18.04 VirtualBox. From an another VM i saved the prior
Apache Packages from /var/cache/apt/archives

:~# apt-get install libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.2-0
:~# dpkg -i apache2_2.4.29-1ubuntu4.8_amd64.deb apache2-bin_2.4.29-1ubuntu4.8_amd64.deb apache2-data_2.4.29-1ubuntu4.8_all.deb apache2-utils_2.4.29-1ubuntu4.8_amd64.deb

:~# dpkg -l | grep apache2
ii apache2 2.4.29-1ubuntu4.8 amd64 Apache HTTP Server
ii apache2-bin 2.4.29-1ubuntu4.8 amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.29-1ubuntu4.8 all Apache HTTP Server (common files)
ii apache2-utils 2.4.29-1ubuntu4.8 amd64 Apache HTTP Server (utility programs for web servers)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# vim /etc/apache2/sites-available/management.conf
<VirtualHost 192.168.56.211:81 127.0.0.1:81>
    Servername 127.0.0.1
    ServerAdmin root@localhost

    <Location /balancer-manager>
        SetHandler balancer-manager
        Require local
        #Require ip 192.168.56.0/24 127.0.0.1/24
        Require all granted
    </Location>

    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/management_error.log
    CustomLog ${APACHE_LOG_DIR}/management_access.log combined

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# vim /etc/apache2/sites-available/proxytest.conf
<Proxy "balancer://test">
        BalancerMember "http://192.168.168.130/test"
        BalancerMember "http://192.168.168.131/test" status=+H
        ProxySet lbmethod=bybusyness
</Proxy>

<VirtualHost 127.0.0.1:8100>
ServerAdmin root@localhost
ServerName testapp01
ServerAlias 127.0.0.1:8100

    ProxyPass "/test" "balancer://test"
    ProxyPassReverse "/test" "balancer://test"

    CustomLog ${APACHE_LOG_DIR}/test-access.log combined
    ErrorLog ${APACHE_LOG_DIR}/test-error.log

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# a2enmod proxy_balancer proxy_http lbmethod_bybusyness lbmethod_byrequests
:~# a2ensite management proxytest

:~# vim /etc/apache2/ports.conf
[...]
Listen 81
Listen 8100

:~# systemctl restart apache2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

At that point i install also some console Browsers for testing.

:~# apt-get install lynx elinks

:~# tail -f /var/log/apache2/management_error.log

:~# elinks 127.0.0.1:81/balancer-manager
:~# lynx 127.0.0.1:81/balancer-manager

i can do update the Load and made changes. i also connect from outside with
Firefox

http://192.168.56.211:81/balancer-manager

all this creates no error log entrys, the log is still empty

-------------------------------------------------------------------------

update apache

:~# apt-get update
:~# apt-get upgrade

:~# dpkg -l | grep apache2
ii apache2 2.4.29-1ubuntu4.10 amd64 Apache HTTP Server
ii apache2-bin 2.4.29-1ubuntu4.10 amd64 Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.29-1ubuntu4.10 all Apache HTTP Server (common files)
ii apache2-utils 2.4.29-1ubuntu4.10 amd64 Apache HTTP Server (utility programs for web servers)

do the same with all the Browsers and have the error log in view.

http://192.168.56.211:81/balancer-manager

:~# tail -f /var/log/apache2/management_error.log
[Wed Sep 04 12:24:55.740457 2019] [proxy_balancer:error] [pid 14297:tid 140056626964224] [client 192.168.56.1:3432] AH10187: ignoring params in balancer-manager cross-site access

:~# elinks 127.0.0.1:81/balancer-manager

:~# tail -f /var/log/apache2/management_error.log
[Wed Sep 04 12:27:45.423011 2019] [proxy_balancer:error] [pid 14669:tid 140254539364096] [client 127.0.0.1:42836] AH10187: ignoring params in balancer-manager cross-site access

Firefox and elinks creat one single entry and updates from load etc. looks like
working but with

:~# lynx 127.0.0.1:81/balancer-manager

:~# tail -f /var/log/apache2/management_error.log
[Wed Sep 04 12:28:58.249737 2019] [proxy_balancer:error] [pid 14669:tid 140254497400576] [client 127.0.0.1:42844] AH10187: ignoring params in balancer-manager cross-site access
[Wed Sep 04 12:29:09.585221 2019] [proxy_balancer:error] [pid 14669:tid 140254623291136] [client 127.0.0.1:42848] AH10187: ignoring params in balancer-manager cross-site access
[Wed Sep 04 12:29:15.435690 2019] [proxy_balancer:error] [pid 14669:tid 140254614898432] [client 127.0.0.1:42850] AH10187: ignoring params in balancer-manager cross-site access
[Wed Sep 04 12:29:29.771322 2019] [proxy_balancer:error] [pid 14669:tid 140254598113024] [client 127.0.0.1:42852] AH10187: ignoring params in balancer-manager cross-site access

every singel submit will create an entry and for example
the Load change will not made in the balancer manager.

The string from the Log Entry is in the newest Version from

https://svn.apache.org/viewvc?view=revision&revision=1864787
http://svn.apache.org/repos/asf/httpd/httpd/tags/2.4.41/modules/proxy/mod_proxy_balancer.c

a downgrade to the prior Version to the Apache Packages solved the Problem.

Regards Horst

CVE References

Revision history for this message
In , A-abfalterer (a-abfalterer) wrote :

The new CSRF protection of the Balancer Manager breaks editing functionality for browsers that lowercase hostnames in the Referer: header; e.g. Chrome

The error is based on the usage of strcmp() in the safe_referer() function

https://github.com/apache/httpd/blob/2.4.x/modules/proxy/mod_proxy_balancer.c#L1107

Revision history for this message
In , Covener-0 (covener-0) wrote :

(In reply to Armin Abfalterer from comment #0)
> The new CSRF protection of the Balancer Manager breaks editing functionality
> for browsers that lowercase hostnames in the Referer: header; e.g. Chrome
>
> The error is based on the usage of strcmp() in the safe_referer() function
>
> https://github.com/apache/httpd/blob/2.4.x/modules/proxy/mod_proxy_balancer.
> c#L1107

thanks for the report and sorry for the inconvenience. Trunk r1865749 and proposing for backport to 2.4.x.

Revision history for this message
Paride Legovini (paride) wrote :

Thanks for your bug report. The "ignoring params in balancer-manager cross-site access" error message has been introduced as part of the patchset fixing CVE-2019-10092, see [1], so this definitely looks like a regression.

Revision history for this message
Paride Legovini (paride) wrote :
tags: added: server-triage-discuss
Paride Legovini (paride)
tags: added: server-next
tags: added: regression-update
removed: server-next
Paride Legovini (paride)
tags: added: server-next
removed: server-triage-discuss
Revision history for this message
Paride Legovini (paride) wrote :

I subscribed and pinged ubuntu-security on this one, let's see if they chime in and what their opinion is.

Revision history for this message
In , Horst Platz (hp-localhorst) wrote :

hi all,

mybe i found a kind of same problem. in my configuration i used
the balancer manager behind a proxy

 -------------
|Bastian Host |
|Apache Proxy | -----------> LB Apache Balancer Manger
 -------------

and i struggle in the problem with an update from Ubuntu 18.04
which i described in the following bug report

https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1842701

on localhost with lynx i figure out error log entrys with every
submit and no update from the load data etc.

:~# tail -f /var/log/apache2/management_error.log
[Wed Sep 04 12:28:58.249737 2019] [proxy_balancer:error] [pid 14669:tid 140254497400576] [client 127.0.0.1:42844] AH10187: ignoring params in balancer-manager cross-site access
[Wed Sep 04 12:29:09.585221 2019] [proxy_balancer:error] [pid 14669:tid 140254623291136] [client 127.0.0.1:42848] AH10187: ignoring params in balancer-manager cross-site access

i can reproduce this within debian 10

:~# apt-get install apache2

:~# dpkg -l | grep apache2
ii apache2 2.4.38-3+deb10u1
ii apache2-bin 2.4.38-3+deb10u1
ii apache2-data 2.4.38-3+deb10u1
ii apache2-utils 2.4.38-3+deb10u1

i download the prior version from the module and compile that version

http://svn.apache.org/repos/asf/httpd/httpd/tags/2.4.40/modules/proxy/mod_proxy_balancer.c

:~# apxs2 -c -i mod_proxy_balancer.c

:~# systemctl restart apache2

:~# lynx 127.0.0.1:81/balancer-manager
:~# elinks 127.0.0.1:81/balancer-manager
Browser: http://192.168.56.211:81/balancer-manager

i can use the balancer manager as expected without any error log entry

i compiled also that version from https://svn.apache.org/viewvc?view=revision&revision=1865749
but with no luck.

regards horst

Revision history for this message
Horst Platz (hp-localhorst) wrote :

i found https://bz.apache.org/bugzilla/show_bug.cgi?id=63688 and this sounds like of a similar problem and i can reporduce that within debian 10 which i described there.

Revision history for this message
In , Covener-0 (covener-0) wrote :

can you try something like this since you had a sandbox env:

Index: modules/proxy/mod_proxy_balancer.c
===================================================================
--- modules/proxy/mod_proxy_balancer.c (revision 1866509)
+++ modules/proxy/mod_proxy_balancer.c (working copy)
@@ -1185,7 +1185,7 @@
     /* Ignore parameters if this looks like XSRF */
     ref = apr_table_get(r->headers_in, "Referer");
     if (apr_table_elts(params)
- && (!ref || !safe_referer(r, ref))) {
+ && (ref && !safe_referer(r, ref))) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10187)
                       "ignoring params in balancer-manager cross-site access");
         apr_table_clear(params);

No referer should pass through IIUC.

Revision history for this message
In , Jorton-9 (jorton-9) wrote :

Well, Eric you suggested it, so maybe I got it wrong ;)

In all valid requests to the balancer-manager the previous URI should be the balancer-manager page, and hence Referer should be set. So ignoring params if Referer is not present was definitely deliberate.

So OP are you're saying this fails with lynx and works with elinks?

Revision history for this message
In , Jorton-9 (jorton-9) wrote :

BTW I can't comment on that Ubuntu page without creating an account, so please point them to this comment

The referenced change to mod_proxy/mod_proxy_balancer has NOTHING to do with CVE-2019-10092.

CVE-2019-10092 is fixed by https://svn.apache.org/viewvc?view=revision&amp;revision=1864191

Revision history for this message
In , Horst Platz (hp-localhorst) wrote :

if i came from ousite with firefox and on the console with elinks the first connect

:~# http://192.168.56.225:81/balancer-manager

:~# tail -f /var/log/apache2/management_error.log
[Sat Sep 07 12:37:39.907268 2019] [proxy_balancer:error] [pid 6582:tid 140508132738816] [client 192.168.56.1:52006] AH10187: ignoring params in balancer-manager cross-site access

:~# elinks 127.0.0.1:81/balancer-manager

:~# tail -f /var/log/apache2/management_error.log
[Sat Sep 07 12:40:42.786775 2019] [proxy_balancer:error] [pid 6582:tid 140507992790784] [client 127.0.0.1:48454] AH10187: ignoring params in balancer-manager cross-site access

creates on error log entry but it workes with lynx first connect and every submit creates the log entry

:~# lynx 127.0.0.1:81/balancer-manager

:~# tail -f /var/log/apache2/management_error.log
[Sat Sep 07 12:41:43.620865 2019] [proxy_balancer:error] [pid 6582:tid 140507900471040] [client 127.0.0.1:48460] AH10187: ignoring params in balancer-manager cross-site access

[Sat Sep 07 12:42:20.582399 2019] [proxy_balancer:error] [pid 6582:tid 140508132738816] [client 127.0.0.1:48466] AH10187: ignoring params in balancer-manager cross-site access
[Sat Sep 07 12:42:33.611602 2019] [proxy_balancer:error] [pid 6582:tid 140508043147008] [client 127.0.0.1:48468] AH10187: ignoring params in balancer-manager cross-site access
[Sat Sep 07 12:42:37.749409 2019] [proxy_balancer:error] [pid 6582:tid 140508026361600] [client 127.0.0.1:48470] AH10187: ignoring params in balancer-manager cross-site access

so yes lynx ist not working

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

with your patch on

http://svn.apache.org/repos/asf/httpd/httpd/tags/2.4.41/modules/proxy/mod_proxy_balancer.c

i got no errog log entrys and lynx is also working for my sandbox env.

thx horst

i create the hint on the ubuntu page

Revision history for this message
Horst Platz (hp-localhorst) wrote :
Revision history for this message
Horst Platz (hp-localhorst) wrote :

with that patch from here

https://bz.apache.org/bugzilla/show_bug.cgi?id=63688#c3

and with the ubuntu 18.04 apache2 sources

:~$ apt-get source apache2

:~$ find . -name mod_proxy_balancer.c
./apache2-2.4.29/.pc/balance-member-long-hostname-part2.patch/modules/proxy/mod_proxy_balancer.c
./apache2-2.4.29/.pc/CVE-2019-10092-3.patch/modules/proxy/mod_proxy_balancer.c
./apache2-2.4.29/modules/proxy/mod_proxy_balancer.c

i copy and patched only that single file

:~$ cp ./apache2-2.4.29/modules/proxy/mod_proxy_balancer.c ~/

:~$ patch mod_proxy_balancer.c mod_proxy_balancer_patch.c
patching file mod_proxy_balancer.c
Hunk #1 succeeded at 1078 (offset -107 lines).

compile it

:~# apxs2 -c -i mod_proxy_balancer.c

i got also no more error log entries in my sandbox env from above. i copied that compiled binary away and i try early next week with that one if the initial problem behinde the proxy is also solved.

Revision history for this message
In , Jorton-9 (jorton-9) wrote :

Sorry I'm struggling to parse your comemnts, Horst.

From a quick search it looks some versions of Lynx don't produce Referer headers. They won't work with mod_proxy_balancer since 2.4.41, because we made tightened up the XSRF protection. This is unfortunate but we don't have a better way to protect against XSRF.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for linking the upstream bug and your experiments Horst!

In the bug there it was mentioned that this would not be related to the CVE fix CVE-2019-10092.
But it made me think as Horst clearly found it to be related to that update.

I did some of the same checks Horst did (in which patch is the balancer touched).
There are three patches in the package referenced for this CVE:
- debian/patches/CVE-2019-10092-1.patch: based on [1] which matches the upstream referred [2]
- debian/patches/CVE-2019-10092-2.patch: based on [3] which might be some related cleanup and no
  big changes (but not part of the upstream CVE change)
- debian/patches/CVE-2019-10092-3.patch: based on [4]
  This last one is what brings changes to proxy/mod_proxy_balancer.c
  It is not directly tied to CVE-2019-10092 but seems to be picked up in that context.

That at least somewhat explains upstreams confusion on "referenced change to mod_proxy/mod_proxy_balancer has NOTHING to do with CVE-2019-10092". I agree that this was an extra change unrelated to that.

And if I got Horst right in the former comment he confirmed that if he drops that change it seems to work again.

But it seems (other than the mis-tag to CVE-2019-10092) this hardening to XSRF was an intended change by upstream [5].
I wasn't able to follow all comments of the upstream bug, they mentioned lynx might be incompatible to it- but does that apply to some proxies as well then?
In that case this might be a hard call on security-SRUing this into Bionic and breaking things. But while this is a no-go for normal SRUs security sometimes required changes like that.

@sbeattie - could you outline what was going on in the CVE discussions when this XSRF protection was added. And if you have any known discussions on adding XSRF protection that includes balancing those proxies/browsers.

[1]: https://svn.apache.org/viewvc?view=revision&revision=1864207
[2]: https://svn.apache.org/viewvc?view=revision&amp;revision=1864191
[3]: https://svn.apache.org/viewvc?view=revision&revision=1864702
[4]: https://svn.apache.org/viewvc?view=revision&revision=1864787
[5]: https://bz.apache.org/bugzilla/show_bug.cgi?id=63688#c7

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@Horst
I have put a preliminary build of the packaged Apache to the PPA [1] with the fix that was suggested on the upstream bug [2]. Could you give that one a try?

[1]: https://launchpad.net/~paelzer/+archive/ubuntu/bug-1842701-mod-proxy-xsrf
[2]: https://bz.apache.org/bugzilla/show_bug.cgi?id=63688#c3

Changed in apache2:
importance: Unknown → Medium
status: Unknown → Confirmed
Revision history for this message
Steve Beattie (sbeattie) wrote :

Sorry for the problems that people are experiencing.

Christian, the Ubuntu Security Team will sometimes incorporate a hardening measure like the extra XSRF that upstream included in the 2.4.41 release, if it appears to address similar issues as the original vulnerability. Looking at the history of modules/proxy/ in the 2.4.x branch made it look like they were mildly related. Unfortunately, upstream did not make explicitly clear in the 2.4.x branch which commits specifically addressed each vulnerability (and in fact, upstream managed to silently break an embargo with their fix for CVE-2019-9517).

The debian/patches/CVE-2019-10092-2.patch is a fixup to the first patch, because in the first patch, a couple of log numbers were missed in the emitted error messages.

The issues with the https://svn.apache.org/viewvc?view=revision&revision=1864787 (so misnamed as CVE-2019-10092-3.patch) should affect xenial and disco as well, not just bionic, since it was backported to those releases as well.

I've made available pacakges which incorporate both patches mentioned in the upstream bug report (the one for the strcasecmp change and the change in the referrer test) in the ppa https://launchpad.net/~sbeattie/+archive/ubuntu/lp1842701/ for testing. Please let me now if these address the issues that people are seeing.

Thanks, and again, my apologies.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thanks for the explanations Steve.
I almost assumed something like this (adding related hardening) and this should not have been any blaming. I was just dissecting the case one step at a time.

Thanks for doing the next step already with the builds for all affected releases.

In that case I can stop the coding myself but I want to continue to help. And that might be with some testing instead.
I'll try if I can set up and repro the issues that were reported ...

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

First of all, thanks to the great steps by Horst I was able to reproduce this on X/B/D releases.
like:
[Tue Sep 10 06:39:37.715128 2019] [proxy_balancer:error] [pid 3314:tid 140601611724544] [client 127.0.0.1:50998] AH10187: ignoring params in balancer-manager cross-site accessWith

With that set up I upgraded all those to the PPA [1] and retried the access.
It works without the AH10187 error now.
I also found no other new issue in the logs triggered by the update - at least not for this setup.

In an SRU sense I'd now call it verified.
I hope that helps to get this processed further, since it needs pushing to the -security pocket I can't help much further.

[1]: https://launchpad.net/~sbeattie/+archive/ubuntu/lp1842701

Revision history for this message
Horst Platz (hp-localhorst) wrote :

sorry i can't use your PPAs in the production. for a quick test i used my patched compiled module where only one line is changing from the patch i discribed above

:$ diff mod_proxy_balancer.c_org mod_proxy_balancer.c
1081c1081
< && (!ref || !safe_referer(r, ref))) {
---
> && (ref && !safe_referer(r, ref))) {

updated on of my production machine with the apache packages 2.4.29-1ubuntu4.10 and copy that module. lynx ist start working but the initial problem from outside over the bastian host proxy is not solved.

i will try to create a more better test env to use your ppas behinde a proxy but i'am sorry this needs a while.

thx for all your work, horst

Revision history for this message
Horst Platz (hp-localhorst) wrote :
Download full text (7.8 KiB)

unfortunately the ppa solve also not the behind a proxy problem.
usualy in my produktion in front (bastion/proxy host) is debian 9
so i test both with debian 9 and ubuntu 18.04 ppa at on the proxy
host.

i modified a littel the configuration to get closer for the
production env.

VM with LB Manager IP:192.168.56.211

i start again with the old apache version

:~# apt-get install libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.2-0
:~# dpkg -i apache2_2.4.29-1ubuntu4.8_amd64.deb apache2-bin_2.4.29-1ubuntu4.8_amd64.deb apache2-data_2.4.29-1ubuntu4.8_all.deb apache2-utils_2.4.29-1ubuntu4.8_amd64.deb

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# vim /etc/apache2/sites-available/management.conf
<VirtualHost 192.168.56.211:81 127.0.0.1:81>
    Servername 127.0.0.1
    ServerAdmin root@localhost

    <Location /balancer-manager>
        SetHandler balancer-manager
        Require local
        #Require ip 192.168.56.0/24 127.0.0.1/24
        Require all granted
    </Location>

    <Location /test-web01/balancer-manager>
        SetHandler balancer-manager
        Require local
        #Require ip 192.168.56.0/24 127.0.0.1/24
        Require all granted
    </Location>

    LogLevel warn
    ErrorLog ${APACHE_LOG_DIR}/management_error.log
    CustomLog ${APACHE_LOG_DIR}/management_access.log combined

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# vim /etc/apache2/sites-available/proxytest.conf
<Proxy "balancer://test">
        BalancerMember "http://192.168.168.130/test"
        BalancerMember "http://192.168.168.131/test" status=+H
        ProxySet lbmethod=bybusyness
</Proxy>

<VirtualHost 127.0.0.1:8100>
ServerAdmin root@localhost
ServerName testapp01
ServerAlias 127.0.0.1:8100

    ProxyPass "/test" "balancer://test"
    ProxyPassReverse "/test" "balancer://test"

    CustomLog ${APACHE_LOG_DIR}/test-access.log combined
    ErrorLog ${APACHE_LOG_DIR}/test-error.log

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

:~# a2enmod proxy_balancer proxy_http lbmethod_bybusyness lbmethod_byrequests
:~# a2ensite management proxytest

:~# vim /etc/apache2/ports.conf
[...]
Listen 81
Listen 8100

:~# systemctl restart apache2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

check localhost LB Manager

:~# apt-get install lynx

:~# lynx 127.0.0.1:81/balancer-manager
:~# lynx 127.0.0.1:81/test-web01/balancer-manager

:~# tail -f /var/log/apache2/management_error.log
-> worked as expectet
-> no log entries on the LB Manager VM

-------------------------------------------------------------------------

Bastion Host Proxy VM IP:192.168.56.230

:~# apt-get install apache2 lynx

check from proxy VM that LB Manager is working without a proxy config in
front of them.

:~# lynx 192.168.56.211:81/balancer-manager
:~# lynx 192.168.56.211:81/test-web01/balancer-manager

:~# tail -f /var/log/apache2/management_error.log
-> no log entries on the LB Manager VM

start proxy configuration

:~# vim /etc...

Read more...

Revision history for this message
In , Horst Platz (hp-localhorst) wrote :

i'am sorry for that...

on the ubuntu page is a further more discussion and i explain and test the initilal problem LB manager behind a proxy ist not working after the update. mybe this helped out to get my problem more clear.

lynx is only comming to the playground for debug the initial problem. lynx with your patch ist start working again. but good to know that in the future lynx is mybe not a good choice for debugging purpose on that point.

Bryce Harrington (bryce)
Changed in apache2 (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in apache2 (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.18-2ubuntu3.13

---------------
apache2 (2.4.18-2ubuntu3.13) xenial-security; urgency=medium

  * SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

 -- Steve Beattie <email address hidden> Mon, 16 Sep 2019 06:13:53 -0700

Changed in apache2 (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.29-1ubuntu4.11

---------------
apache2 (2.4.29-1ubuntu4.11) bionic-security; urgency=medium

  * SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

 -- Steve Beattie <email address hidden> Mon, 16 Sep 2019 05:58:48 -0700

Changed in apache2 (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.38-2ubuntu2.3

---------------
apache2 (2.4.38-2ubuntu2.3) disco-security; urgency=medium

  * SECURITY REGRESSION: mod_proxy balancer XSS/CSRF hardening broke
    browsers which change case in headers and breaks balancers
    loading in some configurations (LP: #1842701)
    - drop d/p/CVE-2019-10092-3.patch

 -- Steve Beattie <email address hidden> Mon, 16 Sep 2019 05:36:25 -0700

Changed in apache2 (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Horst Platz (hp-localhorst) wrote :

with the new packages my problem is solved.

on more question in the next Ubuntu release for example 20.04 with a newer apache version. it is possible that this kind of problem is comming back again? because the patches are in the newer version from apache.org.

thx again, regards horst

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Horst,
yes I checked and the issue is in Eoan 2.4.41 - I checked that already last week and let Steve now.

Steve wanted to track the upstream discussions on this as going forward we most likely want to follow upstreams guidance on this (e.g. want to have it broken for better security).

But thanks for the ping, we might want to mark the bug tasks accordingly to make this clear.

Changed in apache2 (Ubuntu):
status: Fix Released → Confirmed
Changed in apache2 (Ubuntu Xenial):
status: New → Fix Released
Changed in apache2 (Ubuntu Bionic):
status: New → Fix Released
Changed in apache2 (Ubuntu Disco):
status: New → Fix Released
Revision history for this message
Horst Platz (hp-localhorst) wrote :

hi Christian,

thx for the info and please let me know if there is a posibility solution for the future releases.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I'll if I hear something, but I'll leave that task mostly to Steve who said that he wanted to keep an eye on it (for potentially backporting the hardening once we know how to handle the regression).

Changed in apache2 (Debian):
status: Unknown → New
Changed in apache2 (Debian):
status: New → Fix Committed
Changed in apache2 (Debian):
status: Fix Committed → Fix Released
Revision history for this message
In , tititou (christophe-jaillet) wrote :

This has been backported in 2.4.x branch in r1865966

This is part of 2.4.42.

Not sure that comments in comment #2 and below are related.
If needed, please open a new bug report for it.

Changed in apache2:
status: Confirmed → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

Looks like this is still open for Groovy, but will be resolved when we merge 2.4.42.

tags: removed: server-next
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To close this out, fixed in Groovy
 apache2 | 2.4.46-1ubuntu1 | groovy | source, amd64, arm64, armhf, i386, ppc64el, riscv64, s390x

Changed in apache2 (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Paride Legovini (paride) wrote :

Likely related (or even duplicate): LP: #1939678.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.