Bug 1481665 (CVE-2017-7559)

Summary: CVE-2017-7559 undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apo, bdawidow, bmaxwell, carnil, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dosoudil, drieden, grocha, jawilson, jshepherd, krathod, lef, lgao, myarboro, pdrozd, pgier, psakar, pslavice, psotirop, puntogil, rnetuka, rsvoboda, sdouglas, security-response-team, sthorger, twalsh, vtunka, yjog
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: undertow 1.3.34.Final, undertow 1.4.23.Final, undertow 2.0.1.Final Doc Type: If docs needed, set a value
Doc Text:
It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:20:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1481666, 1520314, 1527613    

Description Adam Mariš 2017-08-15 12:01:20 UTC 
It was found that original patch for CVE-2017-2666 issue in undertow was incomplete and invalid characters are still allowed in the query string and path parameters.
Comment 1 Adam Mariš 2017-08-15 12:01:36 UTC 
Acknowledgments:

Name: Stuart Douglas (Red Hat)
Comment 3 errata-xmlrpc 2017-12-13 17:37:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456
Comment 4 errata-xmlrpc 2017-12-13 18:29:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454
Comment 5 errata-xmlrpc 2017-12-13 18:44:57 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455
Comment 6 errata-xmlrpc 2017-12-13 18:55:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458
Comment 7 Salvatore Bonaccorso 2017-12-28 08:36:24 UTC 
Hi

Do you have any further information which upstream change fixes the issue? I sthere a upstream issue reported for that? 

Regards,
Salvatore
Comment 8 Fabio Olive Leite 2017-12-28 17:21:09 UTC 
Setting needinfo to Bharti Kundal so that she sees it.
Comment 11 errata-xmlrpc 2018-01-03 10:21:28 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003
Comment 12 errata-xmlrpc 2018-01-03 10:32:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002
Comment 13 errata-xmlrpc 2018-01-03 10:35:05 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2018:0004 https://access.redhat.com/errata/RHSA-2018:0004
Comment 14 errata-xmlrpc 2018-01-03 10:51:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2018:0005 https://access.redhat.com/errata/RHSA-2018:0005
Comment 15 Bharti Kundal 2018-01-04 08:18:51 UTC 
(In reply to Salvatore Bonaccorso from comment #7)
> Hi
> 
> Do you have any further information which upstream change fixes the issue? I
> sthere a upstream issue reported for that? 
> 
> Regards,
> Salvatore

Hi Salvatore,

The upstream JIRA is :https://issues.jboss.org/browse/UNDERTOW-1251 .You can get more information from there.

Thanks and Regards,
Bharti
Comment 16 Markus Koschany 2018-01-31 22:20:30 UTC 
We tried to find more information about CVE-2017-7559 and CVE-2017-12165 but could not find any in undertow's bug tracker. For both issues you pointed us to https://issues.jboss.org/browse/UNDERTOW-1251. 

UNDERTOW-1251 is about CVE-2017-2666 though. What are the corresponding issues for CVE-2017-7559 and CVE-2017-12165?

Thanks,

Markus
Comment 17 Yogendra Jog 2018-02-01 11:56:51 UTC 
Setting needinfo to Bharti Kundal so that she sees it.
Comment 20 errata-xmlrpc 2018-05-03 19:04:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:1322 https://access.redhat.com/errata/RHSA-2018:1322
Comment 21 Gabriel Rocha 2019-01-15 06:55:52 UTC 
Chess, can you sort this out and close off that needinfo as needed? Thanks!
Comment 26 Paramvir jindal 2019-10-15 11:16:16 UTC 
Since this fixed in undertow 2.0.1.Final already I am marking RHSSO 7.3.3 (latest as of today) as not affected as it ships undertow 2.0.22.Final
Comment 27 Paramvir jindal 2019-10-15 11:17:40 UTC 
Marking fuse 6 as ooss as this flaw is moderate and for fuse 6, we do only important and critical flaws.