CVE-2015-3183
Find out more about CVE-2015-3183 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 2.6 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:N/C:N/I:N/A:P |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | Partial |
CVSS v3 metrics
| CVSS3 Base Score | 3.7 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | None |
| Availability Impact | Low |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server | RHSA-2016:0061 | 2016-01-21 |
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2016:2056 | 2016-10-12 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (httpd) | RHSA-2016:2055 | 2016-10-12 |
| Red Hat JBoss Web Server 2.1 | RHSA-2016:0062 | 2016-01-21 |
| Red Hat JBoss Web Server 3.0 for RHEL 6 (httpd24) | RHSA-2015:2659 | 2015-12-16 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 5 Server (httpd) | RHSA-2016:0061 | 2016-01-21 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (httpd) | RHSA-2016:0061 | 2016-01-21 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 (httpd24-httpd) | RHSA-2015:1666 | 2015-08-24 |
| Red Hat Enterprise Linux 6 (httpd) | RHSA-2015:1668 | 2015-08-24 |
| Red Hat Enterprise Linux 7 (httpd) | RHSA-2015:1667 | 2015-08-24 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2016:2054 | 2016-10-12 |
| Red Hat JBoss Web Server 3.0 | RHSA-2015:2661 | 2015-12-16 |
| Red Hat JBoss Web Server 3.0 for RHEL 7 (httpd24) | RHSA-2015:2660 | 2015-12-16 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 (httpd24-httpd) | RHSA-2015:1666 | 2015-08-24 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss EWS 1 | httpd | Will not fix |
| Red Hat Enterprise Linux 5 | httpd | Will not fix |
| Red Hat Enterprise Linux 4 | httpd | Will not fix |
| Red Hat Directory Server 8 | httpd | Will not fix |
Mitigation
Disabling keep-alive (via the "KeepAlive Off" configuration setting, which is used in the default configuration in Red Hat Enterprise Linux 6 and earlier) will prevent httpd from reading multiple requests from a single TCP connection, and should also prevent it from handling any request that was smuggled through the proxy in front of the httpd.
As disabling keep-alive may be undesired for performance reasons, an alternative way to mitigate this issue is by rejecting connections with requests using chunked encoding. Unlike chunked encoded HTTP responses, chunked encoded HTTP requests are not believed to be commonly used. The following mod_rewrite rule will reject requests with the "Transfer-Encoding: chunked" HTTP header:
RewriteEngine on
RewriteCond %{HTTP:Transfer-Encoding} ^chunked$
RewriteRule .* - [R=400]
This rule can be used with httpd versions as shipped in Red Hat Enterprise Linux 5 and later. If deployed, administrators should monitor httpd logs for an increase in the number of requests resulting in HTTP error code 400 (Bad Request), which may indicate legitimate clients actually trying to use chunked encoded requests.
