The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache httpd: bypassing mod_headers unset

Synthesis of the vulnerability 

An attacker can use HTTP Chunked data, in order to bypass the "RequestHeader unset" directive of Apache httpd mod_headers.
Vulnerable software: Apache httpd, Apache httpd Modules ~ not comprehensive, BIG-IP Hardware, TMOS, Fedora, HP-UX, WebSphere AS Traditional, openSUSE, Solaris, RHEL, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Slackware, Ubuntu.
Severity of this announce: 2/4.
Creation date: 01/04/2014.
Références of this computer vulnerability: 1690185, 1695392, 7036319, bulletinjan2015, c04686230, c04832246, CVE-2013-5704, FEDORA-2014-17153, FEDORA-2014-17195, HPSBUX03337, HPSBUX03512, MDVSA-2014:174, openSUSE-SU-2014:1726-1, RHSA-2014:1972-01, RHSA-2015:0325-02, RHSA-2015:1249-02, RHSA-2015:2659-01, RHSA-2015:2660-01, RHSA-2015:2661-01, RHSA-2016:0062-01, SOL16863, SSA:2015-111-03, SSRT102066, SSRT102254, USN-2523-1, VIGILANCE-VUL-14503.

Description of the vulnerability 

The HTTP Transfer-Encoding header can use the "chunked" type, to indicate that data is split in chunks before being transmitted.

The "RequestHeader unset Abc" directive of the mod_headers module of Apache httpd indicates to remove the HTTP Abc header. However, if an attacker puts the HTTP Abc header in a chunked part, mod_headers does not remove it.

An attacker can therefore use HTTP Chunked data, in order to bypass the "RequestHeader unset" directive of Apache httpd mod_headers.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat bulletin impacts software or systems such as Apache httpd, Apache httpd Modules ~ not comprehensive, BIG-IP Hardware, TMOS, Fedora, HP-UX, WebSphere AS Traditional, openSUSE, Solaris, RHEL, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Slackware, Ubuntu.

Our Vigil@nce team determined that the severity of this security threat is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability alert.

Solutions for this threat 

Apache httpd: version 2.4.12.
The version 2.4.12 is fixed:
  http://httpd.apache.org/download.cgi

Apache httpd: version 2.2.29.
The version 2.2.29 is fixed:
  http://httpd.apache.org/download.cgi

F5 BIG-IP: fixed versions for Apache mod_headers unset.
Fixed versions are indicated in information sources.

Fedora: new httpd packages.
New packages are available:
  Fedora 20: httpd 2.4.10-2.fc20
  Fedora 21: httpd 2.4.10-15.fc21

HP-UX Apache Web Server: version 4.05.
The version 4.05 is fixed:
  http://software.hp.com/

HP-UX: Web Server Suite version 3.31.
Web Server Suite version B.11.23 is fixed:
  http://software.hp.com/
  HPUXWSATW331

Mandriva: new apache packages.
New packages are available:
  Mandriva BS1: apache 2.2.29-1.mbs1

openSUSE: new apache2 packages.
New packages are available:
  openSUSE 12.3: apache2 2.2.29-10.20.1
  openSUSE 13.1: apache2 2.4.6-6.37.1
  openSUSE 13.2: apache2 2.4.10-4.1

Red Hat JBoss Web Server: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.0

Red Hat JBoss Web Server: version 3.0.2.
The version 3.0.2 is fixed.

RHEL 6: new httpd packages.
New packages are available:
  RHEL 6: httpd 2.2.15-45.el6

RHEL 7: new httpd packages.
New packages are available:
  RHEL 7: httpd 2.4.6-31.el7

RHEL: new httpd24-httpd packages.
New packages are available:
  RHEL 6: httpd24-httpd 2.4.6-22.el6
  RHEL 7: httpd24-httpd 2.4.6-25.el7

SAS 9.4: patch for OpenSSL, Apache.
A patch is available:
  http://support.sas.com/kb/59371.html

Slackware: new httpd packages.
New packages are available:
  Slackware 13.0: httpd 2.2.29-*-1_slack13.0
  Slackware 13.1: httpd 2.2.29-*-1_slack13.1
  Slackware 13.37: httpd 2.2.29-*-1_slack13.37
  Slackware 14.0: httpd 2.4.12-*-1_slack14.0
  Slackware 14.1: httpd 2.4.12-*-1_slack14.1

Solaris: patch for Third Party (21/01/2015).
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Ubuntu: new apache2.2-bin packages.
New packages are available:
  Ubuntu 14.10: apache2.2-bin 2.4.10-1ubuntu1.1
  Ubuntu 14.04 LTS: apache2.2-bin 2.4.7-1ubuntu4.4
  Ubuntu 12.04 LTS: apache2.2-bin 2.2.22-1ubuntu1.8
  Ubuntu 10.04 LTS: apache2.2-bin 2.2.14-5ubuntu8.15

WebSphere AS: version 8.0.0.10.
The version 8.0.0.10 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24039242

WebSphere AS: version 8.5.5.4.
The version 8.5.5.4 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24038539
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides system vulnerability alerts. The technology watch team tracks security threats targeting the computer system.