Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.
Find out more about CVE-2015-3183 from the MITRE CVE dictionary dictionary and NIST NVD.
| Base Score | 2.6 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:N/C:N/I:N/A:P |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | Partial |
| CVSS3 Base Score | 3.7 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | None |
| Availability Impact | Low |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server | RHSA-2016:0061 | 2016-01-21 |
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2016:2056 | 2016-10-12 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (httpd) | RHSA-2016:2055 | 2016-10-12 |
| Red Hat JBoss Web Server 2.1 | RHSA-2016:0062 | 2016-01-21 |
| Red Hat JBoss Web Server 3.0 for RHEL 6 (httpd24) | RHSA-2015:2659 | 2015-12-16 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server (httpd) | RHSA-2016:0061 | 2016-01-21 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (httpd) | RHSA-2016:0061 | 2016-01-21 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 (httpd24-httpd) | RHSA-2015:1666 | 2015-08-24 |
| Red Hat Enterprise Linux 6 (httpd) | RHSA-2015:1668 | 2015-08-24 |
| Red Hat Enterprise Linux 7 (httpd) | RHSA-2015:1667 | 2015-08-24 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2016:2054 | 2016-10-12 |
| Red Hat JBoss Web Server 3.0 | RHSA-2015:2661 | 2015-12-16 |
| Red Hat JBoss Web Server 3.0 for RHEL 7 (httpd24) | RHSA-2015:2660 | 2015-12-16 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-httpd) | RHSA-2015:1666 | 2015-08-24 |
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss EWS 1 | httpd | Will not fix |
| Red Hat Enterprise Linux 5 | httpd | Will not fix |
| Red Hat Enterprise Linux 4 | httpd | Will not fix |
| Red Hat Directory Server 8 | httpd | Will not fix |
Disabling keep-alive (via the "KeepAlive Off" configuration setting, which is used in the default configuration in Red Hat Enterprise Linux 6 and earlier) will prevent httpd from reading multiple requests from a single TCP connection, and should also prevent it from handling any request that was smuggled through the proxy in front of the httpd.
As disabling keep-alive may be undesired for performance reasons, an alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding. Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used. The following mod_rewrite rule will reject requests with the "Transfer-Encoding: chunked" HTTP header:
RewriteEngine on
RewriteCond %{HTTP:Transfer-Encoding} ^chunked$
RewriteRule .* - [R=400]
This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later. If deployed, administrators should monitor httpd logs for an increase in the number of requests resulting in HTTP error code 400 (Bad Request), which may indicate legitimate clients actually trying to use chunked encoded requests.
Vulmon