Bug 938728 (CVE-2015-3183)

Summary:	VUL-0: CVE-2015-3183: apache2: chunk header parsing defect
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Johannes Segitz <jsegitz>
Component:	Incidents	Assignee:	E-mail List <apache-bugs>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	astieger, gregory.brown, jechristensen, krahmer, kstreitova, maint-coord, meissner, pgajdos, rich.brunt, rolf, security-team, smash_bz, tchvatal
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/119034/
Whiteboard:	CVSSv2:RedHat:CVE-2015-3183:2.6:(AV:N/AC:H/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-3183:5.0:(AV:N/AC:L/Au:N/C:N/I:P/A:N) maint:released:sle10-sp3:62288
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Deadline:	2015-08-07

Description Johannes Segitz 2015-07-20 11:24:26 UTC

rh#1243887

SECURITY: CVE-2015-3183 (cve.mitre.org)
     core: Fix chunk header parsing defect.
     Remove apr_brigade_flatten(), buffering and duplicated code from
     the HTTP_IN filter, parse chunks in a single pass with zero copy.
     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
     authorized characters.  [Graham Leggett, Yann Ylavic]

Fixes:
http://svn.apache.org/viewvc?view=revision&revision=1684515
http://svn.apache.org/viewvc?view=revision&revision=1687338 (2.2.x)
http://svn.apache.org/viewvc?view=revision&revision=1687339 (2.2.x)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1243887
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3183
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3183.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183

Comment 2 Swamp Workflow Management 2015-07-20 22:00:35 UTC

bugbot adjusting priority

Comment 3 Swamp Workflow Management 2015-07-24 12:08:40 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-08-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62232

Comment 4 Petr Gajdos 2015-07-27 12:05:13 UTC

Please review and accept rq#63430 first.

Comment 5 Marcus Meissner 2015-07-27 12:10:21 UTC

review open by autobuild, but I prepoared incident 863

Comment 6 Petr Gajdos 2015-07-27 12:39:23 UTC

@Marcus: also I would like to add all apache2 modules to this update with the change described in bug 915666 comment 11.

Comment 7 Kristyna Streitova 2015-08-07 14:54:08 UTC

SLE12 fix submitted. See mr#64852 (https://build.suse.de/request/show/64852)

Comment 8 Kristyna Streitova 2015-08-10 13:40:33 UTC

Just for the record: It seems that more revisions are needed in order to fix this issue properly (see http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3183.html).

It's mostly "follow up" revisions to the first one.

2.4.x
=====
http://svn.apache.org/viewvc?view=revision&revision=1684515
http://svn.apache.org/viewvc?view=revision&revision=1685904
http://svn.apache.org/viewvc?view=revision&revision=1685950
http://svn.apache.org/viewvc?view=revision&revision=1686271
http://svn.apache.org/viewvc?view=revision&revision=1688935
http://svn.apache.org/viewvc?view=revision&revision=1689821


2.2.x
=====
http://svn.apache.org/viewvc?view=revision&revision=1687338
http://svn.apache.org/viewvc?view=revision&revision=1687339
http://svn.apache.org/viewvc?view=revision&revision=1688936
http://svn.apache.org/viewvc?view=revision&revision=1689522

Comment 9 Petr Gajdos 2015-08-13 07:40:53 UTC

What redhat thinks about this CVE:

https://bugzilla.redhat.com/show_bug.cgi?id=1243887#c5

Comment 10 Petr Gajdos 2015-08-13 08:38:29 UTC

How is that connected to CVE-2013-5704?

Comment 13 Andreas Stieger 2015-08-14 07:39:50 UTC

(In reply to Petr Gajdos from comment #10)
> How is that connected to CVE-2013-5704?

The attack mechanics seem to be similar, but the flaw is different.

Comment 15 Petr Gajdos 2015-08-14 07:57:52 UTC

(In reply to Andreas Stieger from comment #13)
> (In reply to Petr Gajdos from comment #10)
> > How is that connected to CVE-2013-5704?
> 
> The attack mechanics seem to be similar, but the flaw is different.

I mean is CVE-2015-3183 implied by fix for CVE-2013-5704 or it is just independent?

Comment 18 Andreas Stieger 2015-08-25 16:02:33 UTC

(In reply to Petr Gajdos from comment #15)
> (In reply to Andreas Stieger from comment #13)
> > (In reply to Petr Gajdos from comment #10)
> > > How is that connected to CVE-2013-5704?
> > 
> > The attack mechanics seem to be similar, but the flaw is different.
> 
> I mean is CVE-2015-3183 implied by fix for CVE-2013-5704 or it is just
> independent?

CVE-2015-3183 is a new differnet problem, on top of CVE-2013-5704 (also modifying read_chunked_trailer)

Comment 26 Bernhard Wiedemann 2015-09-23 14:00:18 UTC

This is an autogenerated message for OBS integration:
This bug (938728) was mentioned in
https://build.opensuse.org/request/show/333177 13.2+13.1 / apache2

Comment 27 Kristyna Streitova 2015-09-23 14:06:55 UTC

(In reply to Petr Gajdos from comment #25)
> Created attachment 648551 [details]
> attempted patch for 13.1
> 
> Kristyna, could you take over for openSUSE?
> 
> Thank you!

Thank you for the patch. Submitted to openSUSE 13.1 & 13.2: https://build.opensuse.org/request/show/333177

We are done here. Reassigning to security-team.

Comment 36 Swamp Workflow Management 2015-10-06 07:10:07 UTC

openSUSE-SU-2015:1684-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 931723,938723,938728
CVE References: CVE-2015-3183,CVE-2015-3185,CVE-2015-4000
Sources used:
openSUSE 13.2 (src):    apache2-2.4.10-28.1
openSUSE 13.1 (src):    apache2-2.4.6-6.50.1

Comment 37 Rolf Krahl 2015-10-08 14:31:32 UTC

This fix broke one of our servers (openSUSE 13.1) after the patch got installed yesterday.

The server serves as a reverse proxy to an internal GlassFish application server using mod_proxy and mod_proxy_http.  The configuration (somewhat simplified) looks like:

  <VirtualHost _default_:443>
    # standard SSL configuration ...
    SSLProxyEngine on
    <Location /some-service/>
        ProxyPass https://appserv.example.com:8181/some-service/
	Require ip 192.0.2.0/24
    </Location>
    <Location /other-service/>
        ProxyPass https://appserv.example.com:8181/other-service/
	Require all granted
    </Location>
    ProxyPassReverse / https://appserv.example.com:8181/
  </VirtualHost>

After applying patch openSUSE-2015-635, proxying stopped working: if the internal server replies with chunked transfer encoding, the Apache proxy truncates this reply to zero (but still sends this empty reply to the client with a 200 HTTP status code).

Comment 38 Petr Gajdos 2015-10-08 14:35:06 UTC

Rolf thank you, but we know this already, see bug 949218.

Comment 39 Rolf Krahl 2015-10-08 18:13:43 UTC

Thanks for the hint Petr!  Indeed, the RPMs that you provided in bug 949218, comment 5 also fix the problem in my case.  This confirms that this was also caused by the httpd-2.4.6-chunk_header_parsing_defect.patch.

Comment 40 Petr Gajdos 2015-10-09 05:34:49 UTC

Reassigning to bnc-team-apache because of wrong fix for openSUSE:13.1.

Comment 45 Swamp Workflow Management 2015-10-30 16:12:36 UTC

SUSE-SU-2015:1851-1: An update that solves four vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 444878,869790,911159,915666,927845,930228,931002,931723,938723,938728,939516,949766,949771
CVE References: CVE-2014-8111,CVE-2015-3183,CVE-2015-3185,CVE-2015-4000
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    apache2-2.4.10-14.10.1
SUSE Linux Enterprise Server 12 (src):    apache2-2.4.10-14.10.1, apache2-mod_auth_kerb-5.4-2.4.1, apache2-mod_jk-1.2.40-2.6.1, apache2-mod_security2-2.8.0-3.4.1
SUSE Enterprise Storage 1.0 (src):    apache2-mod_fastcgi-2.4.7-3.4.1

Comment 46 Swamp Workflow Management 2015-11-02 16:01:46 UTC

SUSE-SU-2015:1885-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 444878,931002,938728,941676
CVE References: CVE-2015-3183
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    apache2-2.2.12-59.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    apache2-2.2.12-59.1
SUSE Linux Enterprise Server 11-SP4 (src):    apache2-2.2.12-59.1
SUSE Linux Enterprise Server 11-SP3 (src):    apache2-2.2.12-59.1

Comment 47 Swamp Workflow Management 2015-11-02 16:34:15 UTC

SUSE-SU-2015:1885-2: An update that solves one vulnerability and has three fixes is now available.

Category: security (moderate)
Bug References: 444878,931002,938728,941676
CVE References: CVE-2015-3183
Sources used:
SUSE Studio Onsite 1.3 (src):    apache2-2.2.12-59.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    apache2-2.2.12-59.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    apache2-2.2.12-59.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    apache2-2.2.12-59.1
SUSE Linux Enterprise Server 11-SP4 (src):    apache2-2.2.12-59.1
SUSE Linux Enterprise Server 11-SP3 (src):    apache2-2.2.12-59.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    apache2-2.2.12-59.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    apache2-2.2.12-59.1

Comment 48 Petr Gajdos 2016-01-28 15:36:21 UTC

13.1 is EOL now.