CVE-2024-38474 in Apache and UnsafeAllow3F addition

[romanstech]

RHEL8.10, OMD 5.4

After the latest RHEL update it's not possible to enter to OMD — receive 403 Forbidden.
It's because of new vulnerability CVE-2024-38474 in Apache.

Root Cause
A substitution encoding issue in mod_rewrite allows an attacker to execute scripts in directories permitted by the configuration but not directly reachable by any URL or source disclosure of scripts meant only to be executed as CGI. This is the CVE-2024-38474.

Temporary solution:
Add UnsafeAllow3F flag to 1 row in file etc/apache/conf.dthruk_cookie_auth.conf:
RewriteRule ^(.*)$ ${users:$1|/loginbad/} [C,NS,UnsafeAllow3F]

Permanent solution:
Update Apache in OMD to v.2.4.60+

[sni]

thanks for reporting this. It should be fixed already in the nightly builds starting Aug 15th.

• 171c16f

Seems like rhel patched a bit too hard because the error triggered even on pages not containing escaped question marks. So on rhel8/9 all pages fail with the error.
On newer Ubuntu systems only saving bookmarks in Thruk was broken. This has been fixed with

• sni/Thruk@825dd5b
• Can no longer save bookmarks in thruk sni/Thruk#1383

[romanstech]

Thank you very much!

…

________________________________ From: Sven Nierlein ***@***.***> Sent: Monday, August 26, 2024 5:34:52 PM To: ConSol-Monitoring/omd ***@***.***> Cc: ספונוב רומן ***@***.***>; Author ***@***.***> Subject: Re: [ConSol-Monitoring/omd] CVE-2024-38474 in Apache and UnsafeAllow3F addition (Issue #192) thanks for reporting this. It should be fixed already in the nightly builds starting Aug 15th. * 171c16f<https://protect.checkpoint.com/v2/___https://github.com/ConSol-Monitoring/omd/commit/171c16f8a880564509b8cac91d9437b995e12caa___.YzJlOnRlY2huaW9uOmM6bzpiZjE3NGUwMTdmZmI3Yzc5NTdkYWM2NDc0N2IzZDQ5Zjo2OjQzMWU6YWYxOWY2MDU2YzE5ZmY0ZmFhMGFhOTc1N2Y3M2IwNDc5NzlmN2Q1YzM1ZjkwNDg5NDIxMzRmOTdiODVkOTc1MTpoOlQ6Tg> Seems like rhel systems patched a bit too hard because the error triggered even on pages not containing escaped question marks. So on rhel8/9 all pages fail with the error. On newer Ubuntu systems on saving bookmarks in Thruk was broken. This has been fixed with * ***@***.***<https://protect.checkpoint.com/v2/___https://github.com/sni/Thruk/commit/825dd5bdfffaa2d5afb3ab8e1e3459db8e881eaa___.YzJlOnRlY2huaW9uOmM6bzpiZjE3NGUwMTdmZmI3Yzc5NTdkYWM2NDc0N2IzZDQ5Zjo2OjAyYmU6NDQxYWY3NjAwZGNlZTc3OTU3NTMzZWFmZTkwYWFjNWJmYjJhYmE3YTU0ZTg2ZWJlODMxM2IwMDQyYThkNmNkZDpoOlQ6Tg> * sni/Thruk#1383<https://protect.checkpoint.com/v2/___https://github.com/sni/Thruk/discussions/1383___.YzJlOnRlY2huaW9uOmM6bzpiZjE3NGUwMTdmZmI3Yzc5NTdkYWM2NDc0N2IzZDQ5Zjo2OmQ0NDY6YTBmNGUzM2Y5ODI1Yzc2YTFlZTZmMzQ1MDNkNjMwYTg4MDUxMTY5MGQyM2ZmOGJmNTEzMDRkYmI1M2QwZDk3YzpoOlQ6Tg> — Reply to this email directly, view it on GitHub<https://protect.checkpoint.com/v2/___https://github.com/ConSol-Monitoring/omd/issues/192%23issuecomment-2310370602___.YzJlOnRlY2huaW9uOmM6bzpiZjE3NGUwMTdmZmI3Yzc5NTdkYWM2NDc0N2IzZDQ5Zjo2OmUxNWQ6YTMwNDExMDZlNDU5NjE3YWJjZWUyMzllZTQwZTdmOTc5ZmE1Njc4Y2QwYWE2ZDQzMjRlNzk1ZGI0OTUwYzBjMzpoOlQ6Tg>, or unsubscribe<https://protect.checkpoint.com/v2/___https://github.com/notifications/unsubscribe-auth/APBX24ENI45AGS6VNKIOJNDZTM4IZAVCNFSM6AAAAABNCIQDKWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJQGM3TANRQGI___.YzJlOnRlY2huaW9uOmM6bzpiZjE3NGUwMTdmZmI3Yzc5NTdkYWM2NDc0N2IzZDQ5Zjo2OjQzOTE6MDEwNzQ5Y2I0OTNjNWNjZWM5NDFiYTc4NmY2OWRjYTljMWQ5NGZlNGFiNjM0ZGYyODQ5NTNmNzg5MGFjZDVkNDpoOlQ6Tg>. You are receiving this because you authored the thread.Message ID: ***@***.***> External e-mail, be judicious when opening attachments or links

[romanstech]

In any case, amazing work! I used Nagios for years but now I really love using OMD.