Bugzilla – Bug 1200348
VUL-0: CVE-2022-31813: apache2: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
Last modified: 2022-09-06 14:42:00 UTC
CVE-2022-31813 Posted by Stefan Eissing on Jun 08Severity: low Description: Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credit: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31813 https://seclists.org/oss-sec/2022/q2/186
Upstream commit: https://github.com/apache/httpd/commit/956f708b094698ac9ad570d640d4f30eb0df7305 Again, every codestream should be affected: - SUSE:SLE-11-SP1:Update - SUSE:SLE-12-SP2:Update - SUSE:SLE-12-SP5:Update - SUSE:SLE-15:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15-SP4:Update
SUSE-SU-2022:2099-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352 CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): apache2-2.4.23-29.91.1 SUSE OpenStack Cloud Crowbar 8 (src): apache2-2.4.23-29.91.1 SUSE OpenStack Cloud 9 (src): apache2-2.4.23-29.91.1 SUSE OpenStack Cloud 8 (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): apache2-2.4.23-29.91.1 HPE Helion Openstack 8 (src): apache2-2.4.23-29.91.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2101-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352 CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server 12-SP5 (src): apache2-2.4.51-35.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2302-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1198913,1200338,1200340,1200341,1200345,1200348,1200350,1200352 CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813 JIRA References: Sources used: openSUSE Leap 15.4 (src): apache2-2.4.51-150400.6.3.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): apache2-2.4.51-150400.6.3.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): apache2-2.4.51-150400.6.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): apache2-2.4.51-150400.6.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2338-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352 CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise Server for SAP 15 (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise Server 15-LTSS (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): apache2-2.4.33-150000.3.69.1 SUSE Enterprise Storage 6 (src): apache2-2.4.33-150000.3.69.1 SUSE CaaS Platform 4.0 (src): apache2-2.4.33-150000.3.69.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2342-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352 CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813 JIRA References: Sources used: openSUSE Leap 15.3 (src): apache2-2.4.51-150200.3.48.1 SUSE Manager Server 4.1 (src): apache2-2.4.51-150200.3.48.1 SUSE Manager Retail Branch Server 4.1 (src): apache2-2.4.51-150200.3.48.1 SUSE Manager Proxy 4.1 (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): apache2-2.4.51-150200.3.48.1 SUSE Enterprise Storage 7 (src): apache2-2.4.51-150200.3.48.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
There was a blog post [0] published by the security researcher. So basically, when used with mod_proxy, httpd drops the hop-by-hop headers listed in the "Connection" headers, just after having set them. For SUSE:SLE-11-SP1:Update, this is in modules/proxy/mod_proxy_http.c: 830 if (PROXYREQ_REVERSE == r->proxyreq) { 831 const char *buf; 832 833 /* Add X-Forwarded-For: so that the upstream has a chance to 834 * determine, where the original request came from. 835 */ 836 apr_table_mergen(r->headers_in, "X-Forwarded-For", 837 c->remote_ip); 838 839 /* Add X-Forwarded-Host: so that upstream knows what the 840 * original request hostname was. 841 */ 842 if ((buf = apr_table_get(r->headers_in, "Host"))) { 843 apr_table_mergen(r->headers_in, "X-Forwarded-Host", buf); 844 } 845 846 /* Add X-Forwarded-Server: so that upstream knows what the 847 * name of this proxy server is (if there are more than one) 848 * XXX: This duplicates Via: - do we strictly need it? 849 */ 850 apr_table_mergen(r->headers_in, "X-Forwarded-Server", 851 r->server->server_hostname); 852 } 853 854 proxy_run_fixups(r); 855 /* 856 * Make a copy of the headers_in table before clearing the connection 857 * headers as we need the connection headers later in the http output 858 * filter to prepare the correct response headers. 859 * 860 * Note: We need to take r->pool for apr_table_copy as the key / value 861 * pairs in r->headers_in have been created out of r->pool and 862 * p might be (and actually is) a longer living pool. 863 * This would trigger the bad pool ancestry abort in apr_table_copy if 864 * apr is compiled with APR_POOL_DEBUG. 865 */ 866 headers_in_copy = apr_table_copy(r->pool, r->headers_in); 867 ap_proxy_clear_connection(p, headers_in_copy); ap_proxy_clear_connection removes the h-b-h X-Forwared-* headers by calling: apr_table_do(clear_conn_headers, &x, headers, "Connection", NULL); than removes the headers. The researcher mentioned that the issue was introduced in v2.2.1, and we ship v2.2.34 in SUSE:SLE-11-SP1:Update, so SUSE:SLE-11-SP1:Update is affected. [0] https://www.synacktiv.com/publications/cve-2022-31813-forwarding-addresses-is-hard.html
Could you please submit to SUSE:SLE-11-SP1 David? ;)
I can somewhat reproduce for 11sp1/apache2 with https://github.com/pgajdos/apache-rex/tree/master/mod_proxy-basic example as a base (just dumpio utilized): curl http://localhost:60080/vh2/ [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): GET / HTTP/1.1\r\n [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 23 bytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): Host: localhost:60082\r\n [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 102 bytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): User-Agent: curl/7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.7 libidn/1.10\r\n [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 13 bytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): Accept: */*\r\n [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 22 bytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-For: ::1\r\n [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 35 bytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-Host: localhost:60080\r\n [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 26 bytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-Server: test\r\n [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 24 bytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): Connection: Keep-Alive\r\n [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 2 bytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): \r\n [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [eatcrlf-nonblocking] 0 readbytes [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(127): mod_dumpio: dumpio_in - 11 [Mon Sep 05 12:11:30 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:11:30 2022] [debug] proxy_util.c(1898): proxy: worker http://localhost:60081/ already initialized [Mon Sep 05 12:11:30 2022] [debug] proxy_util.c(1898): proxy: worker http://localhost:60082/ already initialized [Mon Sep 05 12:11:35 2022] [debug] mod_dumpio.c(127): mod_dumpio: dumpio_in - 70007 [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 16 bytes curl -H "Connection: close, X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Server" http://localhost:60080/vh2/ [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): GET / HTTP/1.1\r\n [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 23 bytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): Host: localhost:60082\r\n [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 102 bytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): User-Agent: curl/7.19.7 (x86_64-suse-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8j zlib/1.2.7 libidn/1.10\r\n [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 13 bytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): Accept: */*\r\n [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 24 bytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): Connection: Keep-Alive\r\n [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(55): mod_dumpio: dumpio_in (data-HEAP): 2 bytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): \r\n [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [eatcrlf-nonblocking] 0 readbytes [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(127): mod_dumpio: dumpio_in - 11 [Mon Sep 05 12:13:03 2022] [debug] mod_dumpio.c(113): mod_dumpio: dumpio_in [getline-blocking] 0 readbytes [Mon Sep 05 12:13:08 2022] [debug] mod_dumpio.c(127): mod_dumpio: dumpio_in - 70007
The code is +- duplicated in our 11sp1/apache2, in mod_proxy_wstunnel.c and in mod_proxy_http.c I made example for that: https://github.com/pgajdos/apache-rex/tree/master/mod_proxy-hop-by-hop-headers BEFORE [1] reverse proxy, Connection: without hop-by-hop headers [Tue Sep 06 11:15:38 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-For: ::1\r\n [Tue Sep 06 11:15:38 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-Host: localhost:60080\r\n [Tue Sep 06 11:15:38 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-Server: test\r\n [2] reverse proxy, Connection: with hop-by-hop headers Example FAILED (subexample #2): AFTER [1] reverse proxy, Connection: without hop-by-hop headers [Tue Sep 06 10:55:22 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-For: ::1\r\n [Tue Sep 06 10:55:22 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-Host: localhost:60080\r\n [Tue Sep 06 10:55:22 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-Server: test\r\n [2] reverse proxy, Connection: with hop-by-hop headers [Tue Sep 06 10:55:22 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-For: ::1\r\n [Tue Sep 06 10:55:22 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-Host: localhost:60080\r\n [Tue Sep 06 10:55:22 2022] [debug] mod_dumpio.c(74): mod_dumpio: dumpio_in (data-HEAP): X-Forwarded-Server: test\r\n
Package 11sp1/apache2 submitted.