Skip to navigation

Security Advisory Moderate: httpd security and bug fix update

Advisory: RHSA-2012:0542-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-05-07
Last updated on: 2012-05-07
Affected Products: JBoss Enterprise Web Server v1 EL5
JBoss Enterprise Web Server v1 EL6
CVEs (cve.mitre.org): CVE-2011-3348
CVE-2011-3368
CVE-2011-3607
CVE-2012-0021
CVE-2012-0031
CVE-2012-0053

Details

Updated httpd packages that fix multiple security issues and one bug are
now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise
Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The Apache HTTP Server ("httpd") is the namesake project of The Apache
Software Foundation.

It was discovered that the Apache HTTP Server did not properly validate the
request URI for proxied requests. In certain configurations, if a reverse
proxy used the ProxyPassMatch directive, or if it used the RewriteRule
directive with the proxy flag, a remote attacker could make the proxy
connect to an arbitrary server, possibly disclosing sensitive information
from internal web servers not directly accessible to the attacker.
(CVE-2011-3368)

It was discovered that mod_proxy_ajp incorrectly returned an "Internal
Server Error" response when processing certain malformed HTTP requests,
which caused the back-end server to be marked as failed in configurations
where mod_proxy was used in load balancer mode. A remote attacker could
cause mod_proxy to not send requests to back-end AJP (Apache JServ
Protocol) servers for the retry timeout period or until all back-end
servers were marked as failed. (CVE-2011-3348)

The httpd server included the full HTTP header line in the default error
page generated when receiving an excessively long or malformed header.
Malicious JavaScript running in the server's domain context could use this
flaw to gain access to httpOnly cookies. (CVE-2012-0053)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the way httpd performed substitutions in regular expressions. An
attacker able to set certain httpd settings, such as a user permitted to
override the httpd configuration for a specific directory using a
".htaccess" file, could use this flaw to crash the httpd child process or,
possibly, execute arbitrary code with the privileges of the "apache" user.
(CVE-2011-3607)

A NULL pointer dereference flaw was found in the httpd mod_log_config
module. In configurations where cookie logging is enabled, a remote
attacker could use this flaw to crash the httpd child process via an HTTP
request with a malformed Cookie header. (CVE-2012-0021)

A flaw was found in the way httpd handled child process status information.
A malicious program running with httpd child process privileges (such as a
PHP or CGI script) could use this flaw to cause the parent httpd process to
crash during httpd service shutdown. (CVE-2012-0031)

Red Hat would like to thank Context Information Security for reporting the
CVE-2011-3368 issue.

This update also fixes the following bug:

* The fix for CVE-2011-3192 provided by the RHSA-2011:1329 update
introduced a regression in the way httpd handled certain Range HTTP header
values. This update corrects this regression. (BZ#749071)

All users of JBoss Enterprise Web Server 1.0.2 should upgrade to these
updated packages, which contain backported patches to correct these issues.
After installing the updated packages, users must restart the httpd
service for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Server v1 EL5

SRPMS:
httpd-2.2.17-15.4.ep5.el5.src.rpm     MD5: a3cfdde539004ac1269377107c8d8177
SHA-256: 92d760ee333664be297924af2846001a50c9e5896377f74a4013f60344313110
 
IA-32:
httpd-2.2.17-15.4.ep5.el5.i386.rpm     MD5: d494d58269da569665cb2c5e0f6330b6
SHA-256: 1a040781a1f359644be137ff74106ecacdd605bc119fcb0fb1896dab1ef150c3
httpd-devel-2.2.17-15.4.ep5.el5.i386.rpm     MD5: 8ec8be29bb15e2d0bb0f9f0caa12c9e1
SHA-256: e62ca04c8f55c42a80a67f88996ff9387975463a63f44f96ed38712c13308528
httpd-manual-2.2.17-15.4.ep5.el5.i386.rpm     MD5: 90681f9be8b8c4342e7cb45519d76022
SHA-256: 1b3a16dbe63159037dae6c095eff389e6206ea0026c4f5c6dbe293f63d973909
mod_ssl-2.2.17-15.4.ep5.el5.i386.rpm     MD5: 95f32ca6fb7d048a286921dd9d4e1e9d
SHA-256: 6f7a49ae54ea3f674bcac55ee2456bf169c96f18e26a6eb9bc515cee648758cf
 
x86_64:
httpd-2.2.17-15.4.ep5.el5.x86_64.rpm     MD5: afe915936ef9ec2da28438dbe759834c
SHA-256: e5f65c1d7f7d3c97f829885661cfadb14fe0d08fb24479f7dcd8ef719e31445e
httpd-devel-2.2.17-15.4.ep5.el5.x86_64.rpm     MD5: d824befe0957d8c079cbbfdf381d1f50
SHA-256: ab908555fddf89d83ec962edbcf1fe46894b6d31e3af852d79809beeba4a36f1
httpd-manual-2.2.17-15.4.ep5.el5.x86_64.rpm     MD5: e9d42e5ea069ce5d3325f42f72805c07
SHA-256: 1d1c57c213071bdf33a3b7c0e191c7f8ece807fe65af8827a6ddb198864e24d1
mod_ssl-2.2.17-15.4.ep5.el5.x86_64.rpm     MD5: 5ad337644c81f6bae0f13ff1ba0241e9
SHA-256: bc124fb6bdd4424e7c5f64218adcf3909bb9b4a11db6b40ae2bf799d5e1447dc
 
JBoss Enterprise Web Server v1 EL6

SRPMS:
httpd-2.2.17-15.4.ep5.el6.src.rpm     MD5: 4559e3815ab6bfcf846203c73c08195d
SHA-256: d319f55f155bab323a1f8d2d6ca46a3e686b6933ba9316262805fe1b003e87bb
 
IA-32:
httpd-2.2.17-15.4.ep5.el6.i386.rpm     MD5: 67242c34cecc907bed3dbdb87037c70e
SHA-256: a50aff5f82601b45e6a2b67fed4a15ef623fb48e724fb137f3e3ff32c203b8f6
httpd-devel-2.2.17-15.4.ep5.el6.i386.rpm     MD5: 1cc5c9322d1be151a62a4842a4ac2f09
SHA-256: f6ed68e0c06c011d04723726338ec55be69de738cad9719d4c1cdff6cd1cb766
httpd-manual-2.2.17-15.4.ep5.el6.i386.rpm     MD5: 6129f55684b8145917a9295ea97086ef
SHA-256: 08007a9d14b588dec95767a17a594a37a8c08b00588a3410a6f56d1fba4dfd55
httpd-tools-2.2.17-15.4.ep5.el6.i386.rpm     MD5: 6ea4ef68869ad2560e831a8771e5d391
SHA-256: 634d49816fc2e19e26047871c816e1f1e2ad6a31be1247a8c68918e3ba567755
mod_ssl-2.2.17-15.4.ep5.el6.i386.rpm     MD5: b16f37aac7268ab6d706322a38f79607
SHA-256: fb9b6843bf940bebcbefb89dd98fc0b956f434b0f212720007da233f1d3112ac
 
x86_64:
httpd-2.2.17-15.4.ep5.el6.x86_64.rpm     MD5: 8d2173859b85df1b1d182a0c9364993e
SHA-256: 984655a17f23031f3f4e3f4a8cbc428ae627baf64dbf41df0da29b7110bec94c
httpd-devel-2.2.17-15.4.ep5.el6.x86_64.rpm     MD5: 3748c766d25b08a4025e9c88c442859a
SHA-256: 20507e34cf164d3fa45a7c80aea302ebff807055c45a818dd5ffb410de609e48
httpd-manual-2.2.17-15.4.ep5.el6.x86_64.rpm     MD5: cde21a5b2aa33ba83bb12ce9c73d4168
SHA-256: 980585bb79fab24f2e5a8348873f7d95eca58850c85ba40f730e556da4be226a
httpd-tools-2.2.17-15.4.ep5.el6.x86_64.rpm     MD5: a836ce709bd8a40795bf7adcb2bb317a
SHA-256: c74883f09a3ef91a5d5d51a2a266152a6318914ac900375b947bd216360b05f6
mod_ssl-2.2.17-15.4.ep5.el6.x86_64.rpm     MD5: c93f59673e557d7a4cc6140c5af0243b
SHA-256: f5532a74158a220a0beef33337e6a7d1cb12690360c140ddd77713ff6de96593
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

736690 - CVE-2011-3348 httpd: mod_proxy_ajp remote temporary DoS
740045 - CVE-2011-3368 httpd: reverse web proxy vulnerability
749071 - httpd: RHSA-2011:1329 and RHSA-2011:1330 range 0- handling regression
769844 - CVE-2011-3607 httpd: ap_pregsub Integer overflow to buffer overflow
773744 - CVE-2012-0031 httpd: possible crash on shutdown due to flaw in scoreboard handling
785065 - CVE-2012-0021 httpd: NULL pointer dereference crash in mod_log_config
785069 - CVE-2012-0053 httpd: cookie exposure due to error responses


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/