A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
Find out more about CVE-2013-5704 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the versions of the httpd package as shipped with Red Hat JBoss Enterprise Application Platform 6; and Red Hat JBoss Web Server 2. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Red Hat Certificate System does not use the mod_headers module, even when installed, and is thus not affected by this flaw.
Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Red Hat JBoss Enterprise Application Platform 5 and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (httpd) | RHSA-2015:1249 | 2015-07-20 |
| Red Hat JBoss Web Server 3.0 for RHEL 7 | RHSA-2015:2660 | 2015-12-16 |
| Red Hat JBoss Web Server 3.0 for RHEL 6 | RHSA-2015:2659 | 2015-12-16 |
| Red Hat JBoss Web Server 2.1 | RHSA-2016:0062 | 2016-01-21 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server (httpd) | RHSA-2016:0061 | 2016-01-21 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server | RHSA-2016:0061 | 2016-01-21 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (httpd) | RHSA-2016:0061 | 2016-01-21 |
| Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 (httpd24-httpd) | RHSA-2014:1972 | 2014-12-09 |
| Red Hat JBoss Web Server 3.0 | RHSA-2015:2661 | 2015-12-16 |
| Red Hat Enterprise Linux 7 (httpd) | RHSA-2015:0325 | 2015-03-05 |
| Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 (httpd24-httpd) | RHSA-2014:1972 | 2014-12-09 |
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss EWS 1 | httpd | Will not fix |
| Red Hat JBoss EAP 6 | httpd | Fix deferred |
| Red Hat JBoss EAP 5 | httpd | Will not fix |
| Red Hat Enterprise Linux 5 | httpd | Will not fix |
| Red Hat Directory Server 8 | httpd | Will not fix |
Vulmon