Bugzilla – Bug 1200348
VUL-0: CVE-2022-31813: apache2: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
Last modified: 2022-07-29 14:38:39 UTC
CVE-2022-31813 Posted by Stefan Eissing on Jun 08Severity: low Description: Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to the origin server based on client side Connection header hop-by-hop mechanism. This may be used to bypass IP based authentication on the origin server/application. Credit: The Apache HTTP Server project would like to thank Gaetan Ferry (Synacktiv) for reporting this issue References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31813 https://seclists.org/oss-sec/2022/q2/186
Upstream commit: https://github.com/apache/httpd/commit/956f708b094698ac9ad570d640d4f30eb0df7305 Again, every codestream should be affected: - SUSE:SLE-11-SP1:Update - SUSE:SLE-12-SP2:Update - SUSE:SLE-12-SP5:Update - SUSE:SLE-15:Update - SUSE:SLE-15-SP2:Update - SUSE:SLE-15-SP4:Update
SUSE-SU-2022:2099-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352 CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): apache2-2.4.23-29.91.1 SUSE OpenStack Cloud Crowbar 8 (src): apache2-2.4.23-29.91.1 SUSE OpenStack Cloud 9 (src): apache2-2.4.23-29.91.1 SUSE OpenStack Cloud 8 (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): apache2-2.4.23-29.91.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): apache2-2.4.23-29.91.1 HPE Helion Openstack 8 (src): apache2-2.4.23-29.91.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2101-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352 CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): apache2-2.4.51-35.19.1 SUSE Linux Enterprise Server 12-SP5 (src): apache2-2.4.51-35.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2302-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1198913,1200338,1200340,1200341,1200345,1200348,1200350,1200352 CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813 JIRA References: Sources used: openSUSE Leap 15.4 (src): apache2-2.4.51-150400.6.3.1 SUSE Linux Enterprise Module for Server Applications 15-SP4 (src): apache2-2.4.51-150400.6.3.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (src): apache2-2.4.51-150400.6.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): apache2-2.4.51-150400.6.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2338-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352 CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813 JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15-SP1 (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise Server for SAP 15 (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise Server 15-LTSS (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): apache2-2.4.33-150000.3.69.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): apache2-2.4.33-150000.3.69.1 SUSE Enterprise Storage 6 (src): apache2-2.4.33-150000.3.69.1 SUSE CaaS Platform 4.0 (src): apache2-2.4.33-150000.3.69.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:2342-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 1200338,1200340,1200341,1200345,1200348,1200350,1200352 CVE References: CVE-2022-26377,CVE-2022-28614,CVE-2022-28615,CVE-2022-29404,CVE-2022-30522,CVE-2022-30556,CVE-2022-31813 JIRA References: Sources used: openSUSE Leap 15.3 (src): apache2-2.4.51-150200.3.48.1 SUSE Manager Server 4.1 (src): apache2-2.4.51-150200.3.48.1 SUSE Manager Retail Branch Server 4.1 (src): apache2-2.4.51-150200.3.48.1 SUSE Manager Proxy 4.1 (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Module for Server Applications 15-SP3 (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): apache2-2.4.51-150200.3.48.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): apache2-2.4.51-150200.3.48.1 SUSE Enterprise Storage 7 (src): apache2-2.4.51-150200.3.48.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
There was a blog post [0] published by the security researcher. So basically, when used with mod_proxy, httpd drops the hop-by-hop headers listed in the "Connection" headers, just after having set them. For SUSE:SLE-11-SP1:Update, this is in modules/proxy/mod_proxy_http.c: 830 if (PROXYREQ_REVERSE == r->proxyreq) { 831 const char *buf; 832 833 /* Add X-Forwarded-For: so that the upstream has a chance to 834 * determine, where the original request came from. 835 */ 836 apr_table_mergen(r->headers_in, "X-Forwarded-For", 837 c->remote_ip); 838 839 /* Add X-Forwarded-Host: so that upstream knows what the 840 * original request hostname was. 841 */ 842 if ((buf = apr_table_get(r->headers_in, "Host"))) { 843 apr_table_mergen(r->headers_in, "X-Forwarded-Host", buf); 844 } 845 846 /* Add X-Forwarded-Server: so that upstream knows what the 847 * name of this proxy server is (if there are more than one) 848 * XXX: This duplicates Via: - do we strictly need it? 849 */ 850 apr_table_mergen(r->headers_in, "X-Forwarded-Server", 851 r->server->server_hostname); 852 } 853 854 proxy_run_fixups(r); 855 /* 856 * Make a copy of the headers_in table before clearing the connection 857 * headers as we need the connection headers later in the http output 858 * filter to prepare the correct response headers. 859 * 860 * Note: We need to take r->pool for apr_table_copy as the key / value 861 * pairs in r->headers_in have been created out of r->pool and 862 * p might be (and actually is) a longer living pool. 863 * This would trigger the bad pool ancestry abort in apr_table_copy if 864 * apr is compiled with APR_POOL_DEBUG. 865 */ 866 headers_in_copy = apr_table_copy(r->pool, r->headers_in); 867 ap_proxy_clear_connection(p, headers_in_copy); ap_proxy_clear_connection removes the h-b-h X-Forwared-* headers by calling: apr_table_do(clear_conn_headers, &x, headers, "Connection", NULL); than removes the headers. The researcher mentioned that the issue was introduced in v2.2.1, and we ship v2.2.34 in SUSE:SLE-11-SP1:Update, so SUSE:SLE-11-SP1:Update is affected. [0] https://www.synacktiv.com/publications/cve-2022-31813-forwarding-addresses-is-hard.html