Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-58454

mod_proxy_http2 failures after CVE-2024-38477 fix

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Critical Critical
    • rhel-8.10.z
    • rhel-8.10
    • mod_http2
    • None
    • Yes
    • Important
    • rhel-sst-cs-stacks
    • ssg_core_services
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • x86_64
    • None

      What were you trying to do that didn't work?

      The CVE-2024-38477 fix exposes a mod_proxy_http2 bug that can now result in request failures whenever a proxy connection is re-attempted. This scenario always hits the "AH00898: URI has no hostname" error check added by the CVE fix. This is fixed upstream in 2.4.60+ by https://github.com/apache/httpd/commit/4d3a308014be26e5407113b4c827a1ea2882bf38 so we need to backport this.

      What is the impact of this issue to you?

      Random failures.

      Please provide the package NVR for which the bug is seen:

      2.4.37-65.module+el8.10.0+22069+b47f5c72.1

      How reproducible is this bug?:

      Very.

      Steps to reproduce

      1. Set up a simple h2 proxy pass with a destination using a short KeepAliveTimeout. This can be self referential in a single httpd config: 
        Protocols h2 h2c http/1.1
KeepAlive On
KeepAliveTimeout 2
ProxyPass /foobar h2c://127.0.0.1:81/

Listen 81
<VirtualHost *:81>
</VirtualHost>
      2. This will reproduce most consistently if you also use an mpm config with a single process: 
        LoadModule mpm_worker_module modules/mod_mpm_worker.so
<IfModule mpm_worker_module>
        ThreadLimit            30
        ServerLimit            1
        StartServers           1
        MinSpareThreads        5
        MaxSpareThreads        30
        ThreadsPerChild        30
        MaxRequestWorkers      30
        MaxConnectionsPerChild 0
</IfModule>
      3. Send a request that will be proxied, wait for the backend destination keepalive timeout to pass then send another request. A simple one liner testing the above config: 
        $ curl localhost/foobar; sleep 3; curl localhost/foobar

      Expected results

      The default welcome page is returned without issue.

      Actual results

      The second request receives a 503 with the following error:

      [Wed Sep 11 12:35:25.133153 2024] [proxy:error] [pid 30682:tid 140183244572416] [client ::1:51798] AH00898: URI has no hostname: / returned by /foobar

      A workaround can be to switch to plain http proxying or set disablereuse on the proxy worker or to set smax=0 with a ttl that is smaller than the backend destination's typical keepalive timeout so httpd will initiate connection closes before the backend (that may avoid most issue occurrences but there may still be some retry occurrences reaching this issue if a connection is closed out by the backend for some other reason prior to the ttl/keepalive timeout):

      ProxyPass /foobar h2c://127.0.0.1:81/ smax=0 ttl=1

            [RHEL-58454] mod_proxy_http2 failures after CVE-2024-38477 fix

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (httpd:2.4 bug fix and enhancement update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHBA-2025:1682

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (httpd:2.4 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2025:1682

            Halvor Utby (Inactive) added a comment - - edited

            luhliari@redhat.com  We see a fix for RHEL-73580 has recently been released, yet no progress on this issue, which has priority Critical, and for which a two-liner patch has been available since last summer. Any hope for a fix soon?
            In Ubuntu this was fixed in 1 day..

            Halvor Utby (Inactive) added a comment - - edited luhliari@redhat.com   We see a fix for RHEL-73580 has recently been released, yet no progress on this issue, which has priority Critical, and for which a two-liner patch has been available since last summer . Any hope for a fix soon? In Ubuntu this was fixed in 1 day ..

            Halvor Utby (Inactive) added a comment - - edited

            The KB article for this issue suggests "Upgrade to RHEL 9 and its latest httpd 2.4.62+ package" as its first proposed resolution. However:

            • 2.4.62 is still only in beta
            • The patch linked above shows that the issue is fixed in mod_proxy_http2, which lives not in the httpd package, but in the mod_http2 package

            As far as I can tell, no version of the mod_http2 package has yet been provided which contains the patch, for any RHEL version. The changelog for the beta 2.4.62 httpd package(s) mentions only this regression fix, however we have confirmed that (manually) upgrading to 2.4.62 does not in fact resolve this issue - presumably due to the above.

            As it looks to me, a new version of the mod_http2 package needs to be built, with the patch applied, and this should be backported to every version which supplies this package. Or at least every version which also received the security fix that caused this regression, which presumably would be all supported versions.

            What would be a realistic ETA for this to happen? This report seems to now have stalled for several months in Critical state. The issue severely breaks reverse proxying with HTTP/2 - a reasonably common use case for Apache - and the only sufficiently effective workaround (disablereuse) largely negates the performance benefits of using HTTP/2.

            Halvor Utby (Inactive) added a comment - - edited The KB article for this issue suggests "Upgrade to RHEL 9 and its  latest httpd 2.4.62+ package" as its first proposed resolution. However: 2.4.62 is still only in beta The patch linked above shows that the issue is fixed in mod_proxy_http2, which lives not in the httpd package, but in the mod_http2 package As far as I can tell, no version of the mod_http2 package has yet been provided which contains the patch, for any RHEL version. The changelog for the beta 2.4.62 httpd package(s) mentions only this regression fix, however we have confirmed that (manually) upgrading to 2.4.62 does not in fact resolve this issue - presumably due to the above. As it looks to me, a new version of the mod_http2 package needs to be built, with the patch applied, and this should be backported to every version which supplies this package. Or at least every version which also received the security fix that caused this regression, which presumably would be all supported versions. What would be a realistic ETA for this to happen? This report seems to now have stalled for several months in Critical state. The issue severely breaks reverse proxying with HTTP/2 - a reasonably common use case for Apache - and the only sufficiently effective workaround (disablereuse) largely negates the performance benefits of using HTTP/2.

              luhliari@redhat.com Lubos Uhliarik
              rhn-support-aogburn Aaron Ogburn
              Lubos Uhliarik Lubos Uhliarik
              Branislav Náter Branislav Náter
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: