CVE-2015-3183

Impact:
Moderate
Public Date:
2015-07-15
CWE:
CWE-172
Bugzilla:
1243887: CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser
Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks.

Find out more about CVE-2015-3183 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 2.6
Base Metrics AV:N/AC:H/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

CVSS v3 metrics

CVSS3 Base Score 3.7
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact Low

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server RHSA-2016:0061 2016-01-21
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2016:2056 2016-10-12
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (httpd) RHSA-2016:2055 2016-10-12
Red Hat JBoss Web Server 2.1 RHSA-2016:0062 2016-01-21
Red Hat JBoss Web Server 3.0 for RHEL 6 (httpd24) RHSA-2015:2659 2015-12-16
Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server (httpd) RHSA-2016:0061 2016-01-21
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (httpd) RHSA-2016:0061 2016-01-21
Red Hat Software Collections for Red Hat Enterprise Linux 7 (httpd24-httpd) RHSA-2015:1666 2015-08-24
Red Hat Enterprise Linux 6 (httpd) RHSA-2015:1668 2015-08-24
Red Hat Enterprise Linux 7 (httpd) RHSA-2015:1667 2015-08-24
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2016:2054 2016-10-12
Red Hat JBoss Web Server 3.0 RHSA-2015:2661 2015-12-16
Red Hat JBoss Web Server 3.0 for RHEL 7 (httpd24) RHSA-2015:2660 2015-12-16
Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-httpd) RHSA-2015:1666 2015-08-24

Affected Packages State

Platform Package State
Red Hat JBoss EWS 1 httpd Will not fix
Red Hat Enterprise Linux 5 httpd Will not fix
Red Hat Enterprise Linux 4 httpd Will not fix
Red Hat Directory Server 8 httpd Will not fix

Mitigation

Disabling keep-alive (via the "KeepAlive Off" configuration setting, which is used in the default configuration in Red Hat Enterprise Linux 6 and earlier) will prevent httpd from reading multiple requests from a single TCP connection, and should also prevent it from handling any request that was smuggled through the proxy in front of the httpd. As disabling keep-alive may be undesired for performance reasons, an alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding. Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used. The following mod_rewrite rule will reject requests with the "Transfer-Encoding: chunked" HTTP header: RewriteEngine on RewriteCond %{HTTP:Transfer-Encoding} ^chunked$ RewriteRule .* - [R=400] This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later. If deployed, administrators should monitor httpd logs for an increase in the number of requests resulting in HTTP error code 400 (Bad Request), which may indicate legitimate clients actually trying to use chunked encoded requests.

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.