You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by "William A. Rowe Jr." <wr...@apache.org> on 2010/06/11 21:45:25 UTC

[advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068

Vulnerability; httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068

Classification; important

Description;

    A timeout detection flaw in the httpd mod_proxy_http module causes
    proxied response to be sent as the response to a different request,
    and potentially served to a different client, from the HTTP proxy
    pool worker pipeline.

    This may represent a confidential data revealing flaw.

    This affects only Netware, Windows or OS2 builds of httpd version
    2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha, when the proxy
    worker pools have been enabled.  Earlier 2.2, 2.0 and 1.3 releases
    were not affected.

Acknowledgements;

    We would like to thank Loren Anderson for the thorough research
    and reporting of this flaw.

Mitigation;

    Apply any one of the following mitigations to avert the possibility
    of confidential information disclosure.

    * Do not load mod_proxy_http.

    * Do not configure/enable any http proxy worker pools with ProxySet
      or ProxyPass optional arguments.

    * The straightforward workaround to disable mod_proxy_http's reuse
      of backend connection pipelines is to set the following global
      directive;

        SetEnv proxy-nokeepalive 1

    * Replace mod_proxy_http.so with a patched version, for source code
      see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or
      http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for
      binaries see the http://www.apache.org/dist/httpd/binaries/ tree
      for win32 or netware, as appropriate.

    * Upgrade to Apache httpd 2.2.16 or higher, once released.  There
      is no tentative release date scheduled.

Update Released; 11th June 2010

Re: [advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.

On 6/11/2010 2:45 PM, William A. Rowe Jr. wrote:
> 
>     * Replace mod_proxy_http.so with a patched version, for source code
>       see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or
>       http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for
>       binaries see the http://www.apache.org/dist/httpd/binaries/ tree
>       for win32 or netware, as appropriate.

Presuming that jira ticket INFRA-2791 is not addressed, I'll publish
http://people.apache.org/~wrowe/CVE-2010-2068/ as an alternative location
to the various announce and external lists in another hour.