Bug 1200348 - (CVE-2022-31813) VUL-0: CVE-2022-31813: apache2: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
(CVE-2022-31813)
VUL-0: CVE-2022-31813: apache2: mod_proxy X-Forwarded-For dropped by hop-by-h...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: David Anes
Security Team bot
https://smash.suse.de/issue/333897/
CVSSv3.1:SUSE:CVE-2022-31813:5.9:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-08 15:01 UTC by Thomas Leroy
Modified: 2022-07-29 14:38 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-06-08 15:01:35 UTC
CVE-2022-31813

Posted by Stefan Eissing on Jun 08Severity: low

Description:

Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side 
Connection header hop-by-hop mechanism.
This may be used to bypass IP based authentication on the origin server/application.

Credit:

The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31813
https://seclists.org/oss-sec/2022/q2/186
Comment 1 Thomas Leroy 2022-06-08 17:13:17 UTC
Upstream commit:
https://github.com/apache/httpd/commit/956f708b094698ac9ad570d640d4f30eb0df7305

Again, every codestream should be affected:
- SUSE:SLE-11-SP1:Update
- SUSE:SLE-12-SP2:Update
- SUSE:SLE-12-SP5:Update 
- SUSE:SLE-15:Update
- SUSE:SLE-15-SP2:Update 
- SUSE:SLE-15-SP4:Update
Comment 9 Swamp Workflow Management 2022-06-16 16:17:01 UTC
SUSE-SU-2022:2099-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352
CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    apache2-2.4.23-29.91.1
SUSE OpenStack Cloud Crowbar 8 (src):    apache2-2.4.23-29.91.1
SUSE OpenStack Cloud 9 (src):    apache2-2.4.23-29.91.1
SUSE OpenStack Cloud 8 (src):    apache2-2.4.23-29.91.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    apache2-2.4.23-29.91.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    apache2-2.4.23-29.91.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    apache2-2.4.23-29.91.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    apache2-2.4.23-29.91.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    apache2-2.4.23-29.91.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    apache2-2.4.23-29.91.1
HPE Helion Openstack 8 (src):    apache2-2.4.23-29.91.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-06-16 16:18:08 UTC
SUSE-SU-2022:2101-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352
CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    apache2-2.4.51-35.19.1
SUSE Linux Enterprise Server 12-SP5 (src):    apache2-2.4.51-35.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-07-06 16:24:37 UTC
SUSE-SU-2022:2302-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1198913,1200338,1200340,1200341,1200345,1200348,1200350,1200352
CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    apache2-2.4.51-150400.6.3.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    apache2-2.4.51-150400.6.3.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src):    apache2-2.4.51-150400.6.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    apache2-2.4.51-150400.6.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-07-08 19:18:17 UTC
SUSE-SU-2022:2338-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352
CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    apache2-2.4.33-150000.3.69.1
SUSE Linux Enterprise Server for SAP 15 (src):    apache2-2.4.33-150000.3.69.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    apache2-2.4.33-150000.3.69.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    apache2-2.4.33-150000.3.69.1
SUSE Linux Enterprise Server 15-LTSS (src):    apache2-2.4.33-150000.3.69.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    apache2-2.4.33-150000.3.69.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    apache2-2.4.33-150000.3.69.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    apache2-2.4.33-150000.3.69.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    apache2-2.4.33-150000.3.69.1
SUSE Enterprise Storage 6 (src):    apache2-2.4.33-150000.3.69.1
SUSE CaaS Platform 4.0 (src):    apache2-2.4.33-150000.3.69.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-07-08 19:19:40 UTC
SUSE-SU-2022:2342-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352
CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    apache2-2.4.51-150200.3.48.1
SUSE Manager Server 4.1 (src):    apache2-2.4.51-150200.3.48.1
SUSE Manager Retail Branch Server 4.1 (src):    apache2-2.4.51-150200.3.48.1
SUSE Manager Proxy 4.1 (src):    apache2-2.4.51-150200.3.48.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    apache2-2.4.51-150200.3.48.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    apache2-2.4.51-150200.3.48.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    apache2-2.4.51-150200.3.48.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    apache2-2.4.51-150200.3.48.1
SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src):    apache2-2.4.51-150200.3.48.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    apache2-2.4.51-150200.3.48.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    apache2-2.4.51-150200.3.48.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    apache2-2.4.51-150200.3.48.1
SUSE Enterprise Storage 7 (src):    apache2-2.4.51-150200.3.48.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Thomas Leroy 2022-07-29 14:38:39 UTC
There was a blog post [0] published by the security researcher.

So basically, when used with mod_proxy, httpd drops the hop-by-hop headers listed in the "Connection" headers, just after having set them. 
For SUSE:SLE-11-SP1:Update, this is in modules/proxy/mod_proxy_http.c:

830     if (PROXYREQ_REVERSE == r->proxyreq) {
 831         const char *buf;
 832 
 833         /* Add X-Forwarded-For: so that the upstream has a chance to
 834          * determine, where the original request came from.
 835          */
 836         apr_table_mergen(r->headers_in, "X-Forwarded-For",
 837                          c->remote_ip);
 838 
 839         /* Add X-Forwarded-Host: so that upstream knows what the
 840          * original request hostname was.
 841          */
 842         if ((buf = apr_table_get(r->headers_in, "Host"))) {
 843             apr_table_mergen(r->headers_in, "X-Forwarded-Host", buf);
 844         }
 845 
 846         /* Add X-Forwarded-Server: so that upstream knows what the
 847          * name of this proxy server is (if there are more than one)
 848          * XXX: This duplicates Via: - do we strictly need it?
 849          */
 850         apr_table_mergen(r->headers_in, "X-Forwarded-Server",
 851                          r->server->server_hostname);
 852     }
 853 
 854     proxy_run_fixups(r);
 855     /*
 856      * Make a copy of the headers_in table before clearing the connection
 857      * headers as we need the connection headers later in the http output
 858      * filter to prepare the correct response headers.
 859      *
 860      * Note: We need to take r->pool for apr_table_copy as the key / value
 861      * pairs in r->headers_in have been created out of r->pool and
 862      * p might be (and actually is) a longer living pool.
 863      * This would trigger the bad pool ancestry abort in apr_table_copy if
 864      * apr is compiled with APR_POOL_DEBUG.
 865      */
 866     headers_in_copy = apr_table_copy(r->pool, r->headers_in);
 867     ap_proxy_clear_connection(p, headers_in_copy);

ap_proxy_clear_connection removes the h-b-h X-Forwared-* headers by calling:

apr_table_do(clear_conn_headers, &x, headers, "Connection", NULL);

than removes the headers.

The researcher mentioned that the issue was introduced in v2.2.1, and we ship v2.2.34 in SUSE:SLE-11-SP1:Update, so SUSE:SLE-11-SP1:Update is affected.

[0] https://www.synacktiv.com/publications/cve-2022-31813-forwarding-addresses-is-hard.html