CVE-2014-0227 – Apache Tomcat – Request Smuggling

CVE-2014-0227 Request Smuggling

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 8.0.0-RC1 to 8.0.8
- - Apache Tomcat 7.0.0 to 7.0.54
- - Apache Tomcat 6.0.0 to 6.0.41

Description:
It was possible to craft a malformed chunk as part of a chucked request
that caused Tomcat to read part of the request body as a new request.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 8.0.9 or later
- - Upgrade to Apache Tomcat 7.0.55 or later
- - Upgrade to Apache Tomcat 6.0.43 or later
  (6.0.42 contains the fix but was not released)

Credit:
This issue was identified by the Tomcat security team.

References:
[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html

Authority references

Forum references

 

Updating Apache to the latest version on DirectAdmin

You can check the current version of apache by running

/usr/sbin/httpd -v


CustomBuild – current

If you’re using custombuild (as most new boxes are), run the following

cd /usr/local/directadmin/custombuild
./build update
./build apache
./build php n
./build rewrite_confs


CustomApache – end-of-life

If you are using customapache with the 1.3 version of apache to the most recent, run the following:

cd /usr/local/directadmin/customapache
./build clean
./build update
./build apache_mod_ssl

If you’re using apache 2.x, use “./build apache_2” isntead of apache_mod_ssl.
This should update both the configure options and the version of apache to the most recent version.  Once the update has completed, you’ll need to restart apache:

RedHat:

/sbin/service httpd restart
FreeBSD:

/usr/local/etc/rc.d/httpd restart

 

Why do I need an owned IP for my own SSL certificate?

The reason you must have your own dedicated IP address when you want to use your own SSL certificate (when you don’t want the server wide shared certificate) is because of the way SSL and Apache (httpd) works.

For name based web-hosting (when many domains are on one IP) the web browser will pass the name of the domain being requested inside the httpd headers along with the request.  This way, Apache knows which domain you are trying to access even though there are many domains on that one IP address.

When you do the same thing through an SSL connection, the connection has to be made *before* the request can be sent.  In this connection, the certificate is passed.  The only information that Apache knows before the request is made is which IP the connection is being made to.  It has to be able to know which certificate to send before the request is made, thus you can’t use multiple certificates on the same IP (if you do, Apache will use the first certificate listed which DA will always set to the server shared certificate for shared IPs).

If you want to use your own certificate, it must be the first certificate listed.  This wouldn’t work for a shared IP, because there would multiple domain wanting this status, and the first certificate would the one shown.  For this reason the shared certificate is always used on a shared IP.  For your certificate, DA will acknowledge the IP as being ‘owned’ and will remove the server shared certificate as the first cert to be loaded, thus your certificate will be loaded instead.

How to forward a website to another url

There are several ways to accomplish this task, but the simplest to understand is to use php.

To do this, you need to create the page that will do the forwarding.  This can be any page, as long as it ends in “.php”.  If you are trying to redirect a domain, you’d create “index.php” inside the public_html directory.

Once you decide which page you will use, then create the file and enter the following text:

<?php
header(“Location: http://whereyouwant.com/to/go.html“);
?>

Where http://whereyouwant.com/to/go.html is the location that you want the page to forward to.  You can use local values, ie: /page.html, or full urls as in the above example (http://..etc.)


Another way to accomplish this is to use an .htaccess file in the public_html directory.  Sample contents:

Redirect 301 / http://whereyouwant.com/to/go.html

Redirect domain.com to www.domain.com

If you want to force clients to use www.domain.com, you can redirect them from domain.com to the www version with an .htaccess file.

In your public_html folder, create a file called .htaccess and add the code:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^domain\.com
RewriteRule ^(.*)$ http://www.domain.com/$1 [R=permanent]

where you’d need to replace domain\.com and domain.com with your actual domain name.  Note the \ character must be present to escapce the . character.

Other versions of the same thing do a negation check to see if the domain is not www.domain.com, but that doesn’t work if you have subdomains.. hence the need for the explicit check for the value we don’t want.

Adding custom modules to apache for custombuild – DirectAdmin

If you want to add any extra modules to apache in custombuild, they’ll need to be compiled in. Any module that needs to be compiled in will have a –with-module type flag which will need to be used. To add this flag, run the following:

 

cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2
cp configure/ap2/configure.apache custom/ap2/configure.apache
vi custom/ap2/configure.apache

#add your –with-module line to the end of the file,
# and make sure the  character exists at the end of all lines except the last one../build clean
./build apache
Then restart apache:
RedHat:/sbin/service httpd restart
FreeBSD:/usr/local/etc/rc.d/httpd restart
Debian:/etc/init.d/httpd restart

If you run into problems, you may also need to recompile php as well:./build php

Then restart apache again.