Информационная безопасность
[RU] switch to English


Дополнительная информация

  Утечка информации через mod_proxy_http в Apache

  [ MDVSA-2010:153 ] apache

From:APACHE
Date:14 июня 2010 г.
Subject:[advisory] httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068

Vulnerability; httpd Timeout detection flaw (mod_proxy_http) CVE-2010-2068

Classification; important

Description;

   A timeout detection flaw in the httpd mod_proxy_http module causes
   proxied response to be sent as the response to a different request,
   and potentially served to a different client, from the HTTP proxy
   pool worker pipeline.

   This may represent a confidential data revealing flaw.

   This affects only Netware, Windows or OS2 builds of httpd version
   2.2.9 through 2.2.15, 2.3.4-alpha and 2.3.5-alpha, when the proxy
   worker pools have been enabled.  Earlier 2.2, 2.0 and 1.3 releases
   were not affected.

Acknowledgements;

   We would like to thank Loren Anderson for the thorough research
   and reporting of this flaw.

Mitigation;

   Apply any one of the following mitigations to avert the possibility
   of confidential information disclosure.

   * Do not load mod_proxy_http.

   * Do not configure/enable any http proxy worker pools with ProxySet
     or ProxyPass optional arguments.

   * The straightforward workaround to disable mod_proxy_http's reuse
     of backend connection pipelines is to set the following global
     directive;

       SetEnv proxy-nokeepalive 1

   * Replace mod_proxy_http.so with a patched version, for source code
     see http://www.apache.org/dist/httpd/patches/apply_to_2.2.15/ or
     http://www.apache.org/dist/httpd/patches/apply_to_2.3.5/ and for
     binaries see the http://www.apache.org/dist/httpd/binaries/ tree
     for win32 or netware, as appropriate.

   * Upgrade to Apache httpd 2.2.16 or higher, once released.  There
     is no tentative release date scheduled.

Update Released; 11th June 2010

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород