CVE-2024-38474 in Apache and UnsafeAllow3F addition

[romanstech]

RHEL8.10, OMD 5.4

After the latest RHEL update it's not possible to enter to OMD — receive 403 Forbidden. It's because of new vulnerability CVE-2024-38474 in Apache.

Root Cause A substitution encoding issue in mod_rewrite allows an attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant only to be executed as CGI. This is the CVE-2024-38474.

Temporary solution: Add UnsafeAllow3F flag to 1 row in file etc/apache/conf.dthruk_cookie_auth.conf: RewriteRule ^(.*)$ ${users:$1|/loginbad/} [C,NS,UnsafeAllow3F]

Permanent solution: Update Apache in OMD to v.2.4.60+

[sni]

thanks for reporting this. It should be fixed already in the nightly builds starting Aug 15th.

• 171c16f8a880564509b8cac91d9437b995e12caa

Seems like rhel patched a bit too hard because the error triggered even on pages not containing escaped question marks. So on rhel8/9 all pages fail with the error. On newer Ubuntu systems only saving bookmarks in Thruk was broken. This has been fixed with

• https://github.com/sni/Thruk/commit/825dd5bdfffaa2d5afb3ab8e1e3459db8e881eaa
• https://github.com/sni/Thruk/discussions/1383

[romanstech]

Thank you very much!

---

From: Sven Nierlein @.> Sent: Monday, August 26, 2024 5:34:52 PM To: ConSol-Monitoring/omd @.> Cc: ספונוב רומן @.>; Author @.> Subject: Re: [ConSol-Monitoring/omd] CVE-2024-38474 in Apache and UnsafeAllow3F addition (Issue #192)

thanks for reporting this. It should be fixed already in the nightly builds starting Aug 15th.

• 171c16fhttps://protect.checkpoint.com/v2/___https://github.com/ConSol-Monitoring/omd/commit/171c16f8a880564509b8cac91d9437b995e12caa___.YzJlOnRlY2huaW9uOmM6bzpiZjE3NGUwMTdmZmI3Yzc5NTdkYWM2NDc0N2IzZDQ5Zjo2OjQzMWU6YWYxOWY2MDU2YzE5ZmY0ZmFhMGFhOTc1N2Y3M2IwNDc5NzlmN2Q1YzM1ZjkwNDg5NDIxMzRmOTdiODVkOTc1MTpoOlQ6Tg

Seems like rhel systems patched a bit too hard because the error triggered even on pages not containing escaped question marks. So on rhel8/9 all pages fail with the error. On newer Ubuntu systems on saving bookmarks in Thruk was broken. This has been fixed with

• @.***https://protect.checkpoint.com/v2/___https://github.com/sni/Thruk/commit/825dd5bdfffaa2d5afb3ab8e1e3459db8e881eaa___.YzJlOnRlY2huaW9uOmM6bzpiZjE3NGUwMTdmZmI3Yzc5NTdkYWM2NDc0N2IzZDQ5Zjo2OjAyYmU6NDQxYWY3NjAwZGNlZTc3OTU3NTMzZWFmZTkwYWFjNWJmYjJhYmE3YTU0ZTg2ZWJlODMxM2IwMDQyYThkNmNkZDpoOlQ6Tg
• sni/Thruk#1383https://protect.checkpoint.com/v2/___https://github.com/sni/Thruk/discussions/1383___.YzJlOnRlY2huaW9uOmM6bzpiZjE3NGUwMTdmZmI3Yzc5NTdkYWM2NDc0N2IzZDQ5Zjo2OmQ0NDY6YTBmNGUzM2Y5ODI1Yzc2YTFlZTZmMzQ1MDNkNjMwYTg4MDUxMTY5MGQyM2ZmOGJmNTEzMDRkYmI1M2QwZDk3YzpoOlQ6Tg

— Reply to this email directly, view it on GitHubhttps://protect.checkpoint.com/v2/___https://github.com/ConSol-Monitoring/omd/issues/192%23issuecomment-2310370602___.YzJlOnRlY2huaW9uOmM6bzpiZjE3NGUwMTdmZmI3Yzc5NTdkYWM2NDc0N2IzZDQ5Zjo2OmUxNWQ6YTMwNDExMDZlNDU5NjE3YWJjZWUyMzllZTQwZTdmOTc5ZmE1Njc4Y2QwYWE2ZDQzMjRlNzk1ZGI0OTUwYzBjMzpoOlQ6Tg, or unsubscribehttps://protect.checkpoint.com/v2/___https://github.com/notifications/unsubscribe-auth/APBX24ENI45AGS6VNKIOJNDZTM4IZAVCNFSM6AAAAABNCIQDKWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJQGM3TANRQGI___.YzJlOnRlY2huaW9uOmM6bzpiZjE3NGUwMTdmZmI3Yzc5NTdkYWM2NDc0N2IzZDQ5Zjo2OjQzOTE6MDEwNzQ5Y2I0OTNjNWNjZWM5NDFiYTc4NmY2OWRjYTljMWQ5NGZlNGFiNjM0ZGYyODQ5NTNmNzg5MGFjZDVkNDpoOlQ6Tg. You are receiving this because you authored the thread.Message ID: @.***>

External e-mail, be judicious when opening attachments or links

[romanstech]

In any case, amazing work! I used Nagios for years but now I really love using OMD.

[sni]

nightly builds are fine now and work with old/new apache versions.