Bug 33353

Summary: apache new security issues CVE-2024-36387, CVE-2024-3847[3-7], CVE-2024-39573 and CVE-2024-39884
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, brtians1, herman.viaene, mageia, sysadmin-bugs, tablackwell
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: apache-2.4.59-1.mga9.src.rpm CVE: CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476 , CVE-2024-38477, CVE-2024-39573, CVE-2024-39884
Status comment:

Nicolas Salguero 2024-07-02 09:18:48 CEST

Status comment: (none) => Fixed upstream in 2.4.60
Source RPM: (none) => apache-2.4.59-1.mga10.src.rpm
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476 , CVE-2024-38477, CVE-2024-39573
Summary: apache new security issues, CVE-2024-36387, CVE-2024-3847[3-7] and CVE-2024-39573 => apache new security issues CVE-2024-36387, CVE-2024-3847[3-7] and CVE-2024-39573

Comment 1 Nicolas Salguero 2024-07-02 10:42:07 CEST Comment hidden (obsolete)

Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.4.60 => (none)
Source RPM: apache-2.4.59-1.mga10.src.rpm => apache-2.4.59-1.mga9.src.rpm
Assignee: bugsquad => qa-bugs
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

katnatek 2024-07-02 19:08:31 CEST

Keywords: (none) => advisory

Comment 2 katnatek 2024-07-03 00:44:47 CEST Comment hidden (obsolete)
katnatek 2024-07-03 03:44:05 CEST

Depends on: (none) => 33355

Comment 3 Herman Viaene 2024-07-03 10:37:55 CEST Comment hidden (obsolete)

CC: (none) => herman.viaene

Comment 4 Nicolas Salguero 2024-07-03 11:24:05 CEST Comment hidden (obsolete)

Keywords: advisory => (none)

Marc Krämer 2024-07-03 14:52:33 CEST

Depends on: 33355 => (none)

PC LX 2024-07-03 17:58:21 CEST

CC: (none) => mageia

katnatek 2024-07-03 18:25:08 CEST

Keywords: (none) => advisory

Comment 5 katnatek 2024-07-03 18:33:39 CEST Comment hidden (obsolete)
Comment 6 PC LX 2024-07-04 11:37:43 CEST Comment hidden (obsolete)
Comment 7 Nicolas Salguero 2024-07-04 15:11:51 CEST 
The problem described in bug 33355 has received CVE-2024-39884 and is fixed in version 2.4.61. See: https://www.openwall.com/lists/oss-security/2024/07/03/8

Summary: apache new security issues CVE-2024-36387, CVE-2024-3847[3-7] and CVE-2024-39573 => apache new security issues CVE-2024-36387, CVE-2024-3847[3-7], CVE-2024-39573 and CVE-2024-39884
CVE: CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476 , CVE-2024-38477, CVE-2024-39573 => CVE-2024-36387, CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476 , CVE-2024-38477, CVE-2024-39573, CVE-2024-39884
Keywords: advisory => (none)

Comment 8 Nicolas Salguero 2024-07-04 15:16:14 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. (CVE-2024-36387)

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests. (CVE-2024-38473)

Substitution encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant to only to be executed as CGI. Some RewriteRules that capture and substitute unsafely will now fail unless rewrite flag "UnsafeAllow3F" is specified. (CVE-2024-38474)

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained. (CVE-2024-38475)

Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable.  (CVE-2024-38476)

Null pointer dereference in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows an attacker to crash the server via a malicious request. (CVE-2024-38477)

Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to cause unsafe RewriteRules to unexpectedly setup URL's to be handled by mod_proxy. (CVE-2024-39573)

A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers.   "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. (CVE-2024-39884)

References:
https://www.openwall.com/lists/oss-security/2024/07/01/4
https://www.openwall.com/lists/oss-security/2024/07/01/6
https://www.openwall.com/lists/oss-security/2024/07/01/7
https://www.openwall.com/lists/oss-security/2024/07/01/8
https://www.openwall.com/lists/oss-security/2024/07/01/9
https://www.openwall.com/lists/oss-security/2024/07/01/10
https://www.openwall.com/lists/oss-security/2024/07/01/11
https://www.openwall.com/lists/oss-security/2024/07/03/8
========================

Updated packages in core/updates_testing:
========================
apache-2.4.61-1.mga9
apache-devel-2.4.61-1.mga9
apache-doc-2.4.61-1.mga9
apache-htcacheclean-2.4.61-1.mga9
apache-mod_brotli-2.4.61-1.mga9
apache-mod_cache-2.4.61-1.mga9
apache-mod_dav-2.4.61-1.mga9
apache-mod_dbd-2.4.61-1.mga9
apache-mod_http2-2.4.61-1.mga9
apache-mod_ldap-2.4.61-1.mga9
apache-mod_proxy-2.4.61-1.mga9
apache-mod_proxy_html-2.4.61-1.mga9
apache-mod_session-2.4.61-1.mga9
apache-mod_ssl-2.4.61-1.mga9
apache-mod_suexec-2.4.61-1.mga9
apache-mod_userdir-2.4.61-1.mga9

from SRPM:
apache-2.4.61-1.mga9.src.rpm
Comment 9 Brian Rockwell 2024-07-04 17:46:51 CEST 
LOL - I was just testing 2.4.60-2.  I'll wait for the mirror to catch up.

CC: (none) => brtians1

katnatek 2024-07-04 18:27:15 CEST

Keywords: (none) => advisory

Comment 10 Tony Blackwell 2024-07-04 23:50:13 CEST 
Got it from Princeton.
Installed just the relevant packages (not task-lamp).
It Works!

No obvious issues with a rudimentary look at it.

CC: (none) => tablackwell

Comment 11 Tony Blackwell 2024-07-04 23:51:30 CEST 
I see we don't yet have an apache listing in Testing Procedures
Comment 12 katnatek 2024-07-05 00:14:21 CEST 
RH mga 9 x86_64

 LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date

installing apache-mod_userdir-2.4.61-1.mga9.x86_64.rpm apache-mod_proxy-2.4.61-1.mga9.x86_64.rpm apache-mod_ssl-2.4.61-1.mga9.x86_64.rpm apache-2.4.61-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/4: apache                ##################################################################################################
      2/4: apache-mod_userdir    ##################################################################################################
      3/4: apache-mod_proxy      ##################################################################################################
      4/4: apache-mod_ssl        ##################################################################################################
      1/4: removing apache-mod_ssl-2.4.60-2.mga9.x86_64
                                 ##################################################################################################
      2/4: removing apache-mod_proxy-2.4.60-2.mga9.x86_64
                                 ##################################################################################################
      3/4: removing apache-mod_userdir-2.4.60-2.mga9.x86_64
                                 ##################################################################################################
      4/4: removing apache-2.4.60-2.mga9.x86_64
                                 ##################################################################################################
----------------------------------------------------------------------
More information on package apache-2.4.61-1.mga9.x86_64
Starting with Apache 2.4.60, the fix for CVE-2024-38476 (Apache HTTP Server may
use exploitable/malicious backend application output to run local handlers via
internal redirect) caused some changes regarding the 'AddType' directive.

Some legacy uses of the 'AddType' directive to connect a request to a handler
must be ported to 'AddHandler'.

For instance, in order to use apache-mod_php or php-fpm-apache, be sure the
directives 'AddType application/x-httpd-php...' in 70_mod_php.conf or
10_php-fpm.conf were replaced by 'AddHandler application/x-httpd-php'.

----------------------------------------------------------------------

systemctl restart httpd.service 
systemctl -l status httpd.service 
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Thu 2024-07-04 16:10:05 CST; 8s ago
   Main PID: 97663 (httpd)
     Status: "Processing requests..."
      Tasks: 6 (limit: 6904)
     Memory: 6.0M
        CPU: 63ms
     CGroup: /system.slice/httpd.service
             ├─97663 /usr/sbin/httpd -DFOREGROUND
             ├─97668 /usr/sbin/httpd -DFOREGROUND
             ├─97669 /usr/sbin/httpd -DFOREGROUND
             ├─97670 /usr/sbin/httpd -DFOREGROUND
             ├─97671 /usr/sbin/httpd -DFOREGROUND
             └─97672 /usr/sbin/httpd -DFOREGROUND

jul 04 16:10:05 jgrey.phoenix systemd[1]: Starting httpd.service...
jul 04 16:10:05 jgrey.phoenix systemd[1]: Started httpd.service.

I can connect to my page from remote server, I fix my issue with a php page and all my pages works
Comment 13 katnatek 2024-07-05 00:22:23 CEST 
About bug#33355 I can't confirm is fixed because I use php-fpm
And the issue is also produced by apache-mod_php
Comment 14 PC LX 2024-07-07 11:25:47 CEST 
Installed and tested without issues.

Tested for two day with several sites and scripts installed.

Tested:
- systemd socket activation;
- server status;
- server info;
- custom logs;
- IPv4 and IPv6;
- HTTP 1.1 and 2;
- HTTP 1.1 upgrade to HTTP 2;
- HTTPS with SNI;
- Lets Encrypt SSL signed certificates (managed using certbot);
- self signed certificates;
- SSL test using sslscan and https://www.ssllabs.com/ssltest/;
- multiple sites resolution by IP and host name;
- PHP through FPM;
- PHP scripts;
- APCu cache;
- proxying several sites (e.g. Gitea, goaccess);
- mod_rewrite;
- mod_security;
- mod_proxy;
- mod_alias.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.



# uname -a
Linux marte 6.6.28-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Apr 17 17:19:36 UTC 2024 x86_64 GNU/Linux
# rpm -qa | grep apache.*2.4.61 | sort
apache-2.4.61-1.mga9
apache-mod_http2-2.4.61-1.mga9
apache-mod_proxy-2.4.61-1.mga9
apache-mod_proxy_html-2.4.61-1.mga9
apache-mod_ssl-2.4.61-1.mga9
# systemctl status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled)
     Active: active (running) since Sun 2024-07-07 10:23:17 WEST; 2min 5s ago
   Main PID: 2802203 (httpd)
     Status: "Total requests: 1563; Idle/Busy workers 100/0;Requests/sec: 13.1; Bytes served/sec: 730KB/sec"
      Tasks: 66 (limit: 19042)
     Memory: 67.2M
        CPU: 1.468s
     CGroup: /system.slice/httpd.service
             ├─2802203 /usr/sbin/httpd -DFOREGROUND
             ├─2802206 /usr/sbin/httpd -DFOREGROUND
             └─2802207 /usr/sbin/httpd -DFOREGROUND

jul 07 10:23:17 marte systemd[1]: Starting httpd.service...
jul 07 10:23:17 marte systemd[1]: Started httpd.service.
Comment 15 Brian Rockwell 2024-07-08 15:17:13 CEST 
Upgrade

Installed for nextcloud server.

After using for awhile confirmed it is working as expected.

I'm moving this one along.

Whiteboard: (none) => MGA9-64-OK

katnatek 2024-07-08 18:49:53 CEST

CC: (none) => andrewsfarm

Comment 16 Thomas Andrews 2024-07-09 04:48:14 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 17 Mageia Robot 2024-07-09 09:01:51 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0258.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED