Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 401081 (CVE-2012-0021)

Summary: <www-servers/apache-2.2.22 : "httpOnly" Cookie Disclosure and DoS (CVE-2012-{0021,0031,0053})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: apache-bugs, pva
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://secunia.com/advisories/47779/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 401761    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2012-01-27 20:58:46 UTC
From secunia security advisory at $URL:

Description:
1) An error when handling the "%{cookiename}C" log format string when using a threaded MPM can be exploited to cause a crash by sending a specially crafted cookie.

This vulnerability is reported in versions 2.2.17, 2.2.18, 2.219, 2.2.20, and 2.2.21.

2) An error within the default error response for status code 400 when no custom ErrorDocument is configured can be exploited to expose "httpOnly" cookies.

This vulnerability is reported in versions 2.2.0, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, and 2.2.21.


Solution:
Fixed in the SVN repository.

Original Advisory
http://httpd.apache.org/security/vulnerabilities_22.html
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 04:15:37 UTC
CVE-2012-0053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0053):
  protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
  restrict header information during construction of Bad Request (aka 400)
  error documents, which allows remote attackers to obtain the values of
  HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in
  conjunction with crafted web script.

CVE-2012-0031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0031):
  scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
  users to cause a denial of service (daemon crash during shutdown) or
  possibly have unspecified other impact by modifying a certain type field
  within a scoreboard shared memory segment, leading to an invalid call to the
  free function.

CVE-2012-0021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0021):
  The log_cookie function in mod_log_config.c in the mod_log_config module in
  the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used,
  does not properly handle a %{}C format string, which allows remote attackers
  to cause a denial of service (daemon crash) via a cookie that lacks both a
  name and a value.
Comment 2 Sean Amoss gentoo-dev Security 2012-04-18 00:05:01 UTC
Added to existing GLSA request.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:29:30 UTC
This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).