CVE-2022-1388

Wed, 18 May 2022 05:14:27 -0700 

All,
I've been doing some reading about the recently-publicized Big-IP vulnerability and I was wondering if httpd is doing the right thing. 


According to Randori's analysis[1] of the flaw, there is confusion 
between Apache httpd and Jetty (introduced by Big-IP) as to which 
component is responsible for authentication and authorization.



The root of the problem is that they have two different authentication 
mechanisms for different types of users. It's possible to send a request 
that tells Apache httpd "I will be authenticated by Jetty" and by the 
tie the request gets to Jetty it says "I've already been authenticated". 
This is done using some headers:


  Authorization: Basic YWRtaW46
  X-F5-Auth-Token: 1
  Connection: X-Forwarded-Host, X-F5-Auth-Token


Big-IP uses the X-F5-Auth-Token to tell httpd that Jetty will 
authenticate the request, so it proxies the request through to Jetty. 
But the Connection header causes httpd to strip-out the X-F5-Auth-Token 
header as it's being proxied and then Jetty makes a bad decision with 
the Authorization header.


But I'm wondering about why httpd removes that X-F5-Auth-Token header.


RC 2616[1] says that the Connection header contains headers to remove 
from proxied connections, but:


"
Message headers listed in the Connection header MUST NOT include
end-to-end headers, such as Cache-Control.
"

Section 13.5.1[3] defines hop-by-hop and end-to-end headers:

"
 The following HTTP/1.1 headers are hop-by-hop headers:

      - Connection
      - Keep-Alive
      - Proxy-Authenticate
      - Proxy-Authorization
      - TE
      - Trailers
      - Transfer-Encoding
      - Upgrade

   All other headers defined by HTTP/1.1 are end-to-end headers.
"


Given the above, I believe the interpretation of X-F5-Auth-Token should 
be that it is an end-to-end header, and should therefore NOT be removed 
from the proxied request.



The text does say "All other headers *defined by HTTP/1.1* are 
end-to-end headers" (emphasis mine, of course), and the X-F5-Auth-Token 
header isn't defined by HTTP/1.1 (it's a custom one), but I think the 
definition of specific hop-by-hop headers implies that *all* other 
headers should be considered end-to-end.



Have I missed something in my reading of the spec, or the vulnerability 
report itself?


-chris

[1] https://www.randori.com/blog/vulnerability-analysis-cve-2022-1388/
[2] https://datatracker.ietf.org/doc/html/rfc2616#section-14.10
[3] https://datatracker.ietf.org/doc/html/rfc2616#section-13.5.1























					Reply via email to