Bug 1187043 - (CVE-2019-17567) VUL-0: CVE-2019-17567: apache2: mod_proxy_wstunnel tunneling of non Upgraded connection
(CVE-2019-17567)
VUL-0: CVE-2019-17567: apache2: mod_proxy_wstunnel tunneling of non Upgraded ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: David Anes
Security Team bot
https://smash.suse.de/issue/301369/
CVSSv3.1:SUSE:CVE-2019-17567:4.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-06-08 12:25 UTC by Gianluca Gabrielli
Modified: 2022-06-15 08:00 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
gabriele.sonnu: needinfo? (david.anes)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-06-08 12:25:38 UTC
mod_proxy_wstunnel tunneling of non Upgraded connection in Apache httpd before 2.4.48.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1966740
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17567
Comment 1 Gianluca Gabrielli 2021-06-08 12:28:10 UTC
I'm not 100% confident of my code analysis (below), hence a double-check from the maintainer is required. 

Affected packages:
 - SUSE:SLE-12-SP2:Update/apache2  2.4.23
 - SUSE:SLE-15-SP2:Update/apache2  2.4.43
 - SUSE:SLE-15:Update/apache2      2.4.33

Upstream patch [0][1].

[0] https://github.com/apache/httpd/pull/158/commits/874482779cac904264cd1b1ff49c9c657c66aa52.patch
[1] https://github.com/apache/httpd/pull/158/commits/70eff2d8e622027673ec44269a98ecdfee06ab3f.patch
Comment 9 Gianluca Gabrielli 2021-09-23 10:26:34 UTC
Hi Petr, is there any update for this?
Comment 10 Petr Gajdos 2021-09-23 10:47:32 UTC
(In reply to Gianluca Gabrielli from comment #9)
> Hi Petr, is there any update for this?

Nope, as far as I can see.
Comment 12 Petr Gajdos 2021-11-03 15:57:17 UTC
12sp5 has 2.4.51 now.
Comment 13 Gianluca Gabrielli 2021-11-09 12:49:11 UTC
Thanks Petr for the update, the current status is:
 - SUSE:SLE-11-SP1:Update/apache2  2.2.34
 - SUSE:SLE-12-SP2:Update/apache2  2.4.23
 - SUSE:SLE-12-SP5:Update/apache2  2.4.51
 - SUSE:SLE-15-SP2:Update/apache2  2.4.43
 - SUSE:SLE-15:Update/apache2      2.4.33
 - openSUSE:Factory/apache2        2.4.51

This might introduce a downgrade issue for customers who upgrade from SLE-12-SP5 to SLE-15-SP2. I think the same version bump should be done in SLE-15-SP2 as well, can you please share the link to the ECO approved request related to the SLE-12-SP5 version bump? Thanks
Comment 14 Marcus Meissner 2021-11-09 13:16:51 UTC
https://jira.suse.com/projects/PM/issues/PM-3153 created for updating SLE15 sp2 and sp3.
Comment 15 Petr Gajdos 2022-01-04 11:12:21 UTC
Reassigning to the new maintainer.

(In reply to Gianluca Gabrielli from comment #13)
> Thanks Petr for the update, the current status is:
>  - SUSE:SLE-11-SP1:Update/apache2  2.2.34
>  - SUSE:SLE-12-SP2:Update/apache2  2.4.23
>  - SUSE:SLE-12-SP5:Update/apache2  2.4.51
>  - SUSE:SLE-15-SP2:Update/apache2  2.4.43
>  - SUSE:SLE-15:Update/apache2      2.4.33
>  - openSUSE:Factory/apache2        2.4.51

Updated table:

- SUSE:SLE-11-SP1:Update/apache2  2.2.34
- SUSE:SLE-12-SP2:Update/apache2  2.4.23
- SUSE:SLE-12-SP5:Update/apache2  2.4.51
- SUSE:SLE-15-SP2:Update/apache2  2.4.51
- SUSE:SLE-15:Update/apache2      2.4.33
- openSUSE:Factory/apache2        2.4.52

15/apache2, 12sp2/apache2 and 11sp1/apache2 are still missing the fix (or a proof that it is not affected).