Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 401081 (CVE-2012-0021) - <www-servers/apache-2.2.22 : "httpOnly" Cookie Disclosure and DoS (CVE-2012-{0021,0031,0053})
Summary: <www-servers/apache-2.2.22 : "httpOnly" Cookie Disclosure and DoS (CVE-2012-{...
Status: RESOLVED FIXED
Alias: CVE-2012-0021
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47779/
Whiteboard: B3 [glsa]
Keywords:
Depends on: 401761
Blocks:
  Show dependency tree
 
Reported: 2012-01-27 20:58 UTC by Agostino Sarubbo
Modified: 2012-06-24 14:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-01-27 20:58:46 UTC
From secunia security advisory at $URL:

Description:
1) An error when handling the "%{cookiename}C" log format string when using a threaded MPM can be exploited to cause a crash by sending a specially crafted cookie.

This vulnerability is reported in versions 2.2.17, 2.2.18, 2.219, 2.2.20, and 2.2.21.

2) An error within the default error response for status code 400 when no custom ErrorDocument is configured can be exploited to expose "httpOnly" cookies.

This vulnerability is reported in versions 2.2.0, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 2.2.18, 2.2.19, 2.2.20, and 2.2.21.


Solution:
Fixed in the SVN repository.

Original Advisory
http://httpd.apache.org/security/vulnerabilities_22.html
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 04:15:37 UTC
CVE-2012-0053 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0053):
  protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly
  restrict header information during construction of Bad Request (aka 400)
  error documents, which allows remote attackers to obtain the values of
  HTTPOnly cookies via vectors involving a (1) long or (2) malformed header in
  conjunction with crafted web script.

CVE-2012-0031 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0031):
  scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local
  users to cause a denial of service (daemon crash during shutdown) or
  possibly have unspecified other impact by modifying a certain type field
  within a scoreboard shared memory segment, leading to an invalid call to the
  free function.

CVE-2012-0021 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0021):
  The log_cookie function in mod_log_config.c in the mod_log_config module in
  the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used,
  does not properly handle a %{}C format string, which allows remote attackers
  to cause a denial of service (daemon crash) via a cookie that lacks both a
  name and a value.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-04-18 00:05:01 UTC
Added to existing GLSA request.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:29:30 UTC
This issue was resolved and addressed in
 GLSA 201206-25 at http://security.gentoo.org/glsa/glsa-201206-25.xml
by GLSA coordinator Tobias Heinlein (keytoaster).