Bug 1550671 (CVE-2018-1067)

Summary: CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, alee, anstephe, avibelli, bdawidow, bgeorges, bmaxwell, bmcclain, ccoleman, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dblechte, dedgar, dimitris, dmcphers, dosoudil, drieden, eedri, etirelli, fgavrilo, gvarsami, gzaronik, hhorak, ibek, ivan.afonichev, java-sig-commits, jawilson, jbalunas, jclere, jcoleman, jdoyle, jgoulding, jondruse, jorton, jpadman, jpallich, jshepherd, kconner, krathod, krzysztof.daniel, kverlaen, ldimaggi, lef, lgao, lpetrovi, lthon, mbabacek, mgoldboi, michal.skrivanek, mizdebsk, mszynkie, myarboro, nwallace, paradhya, pdrozd, pgallagh, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, puntogil, rhcs-maint, rhel8-maint, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, rzhang, sbonazzo, sdaley, security-response-team, sherold, sthorger, tcunning, tkirby, trogers, twalsh, vtunka, weli, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20180425:1751,reported=20180301,source=researcher,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,cvss3=5.4/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N,cwe=CWE-113,fedora-all/wildfly=affected,eap-6/jbossweb=notaffected,eap-7/undertow=affected,openshift-1/jbossweb=affected,rhel-6/tomcat6=notaffected,rhel-7/tomcat=notaffected,jbews-2/tomcat7=notaffected,jbews-2/tomcat6=notaffected,eap-7/wildfly=notaffected,jdg-7/wildfly=notaffected,rhev-m-4/eap7-wildfly=notaffected,rhsso-7/wildfly=notaffected,jdg-6/jbossweb=notaffected,eap-5/jbossweb=notaffected,brms-5/jbossweb=wontfix,soap-5/jbossweb=wontfix,fsw-6/jbossweb=wontfix,fuse-6/jbossweb=wontfix,fedora-all/tomcat=affected,epel-6/tomcat=notaffected,rhel-5/tomcat5=notaffected,rhel-8/pki-servlet-container=notaffected,rhscl-3/rh-java-common-tomcat=notaffected,swarm-7/undertow=affected,fedora-all/undertow=affected,rhev-m-4/eap7-undertow=affected
Fixed In Version: undertow 7.1.2.CR1, undertow 7.1.2.GA Doc Type: If docs needed, set a value
Doc Text:
It was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:41:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1592645, 1592647, 1591095, 1592646, 1705077, 1705078    
Bug Blocks: 1550674    

Description Laura Pardo 2018-03-01 18:45:08 UTC
A flaw was reported in WildFly 12.0.0.CR1 web server is vulnerable to the injection of arbitrary HTTP Header due to insufficient sanitisation and validation of user UTF-8 encoded input before it is used as part of an HTTP header value.

Although there is a protection against CRLF injection by detecting the presence of a NewLine character (0x0a), it can be bypassed using characters encoded in UTF-8 as the page will try to convert them back to the original Unicode form and extract the last byte.

Comment 1 Bharti Kundal 2018-03-06 00:54:55 UTC
Acknowledgments:

Name: Ammarit Thongthua (Deloitte Thailand Pentest team), Nattakit Intarasorn (Deloitte Thailand Pentest team)

Comment 4 errata-xmlrpc 2018-04-25 18:22:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:1248 https://access.redhat.com/errata/RHSA-2018:1248

Comment 5 errata-xmlrpc 2018-04-25 18:25:20 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:1247 https://access.redhat.com/errata/RHSA-2018:1247

Comment 6 errata-xmlrpc 2018-04-25 18:36:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:1249 https://access.redhat.com/errata/RHSA-2018:1249

Comment 7 errata-xmlrpc 2018-04-25 19:45:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1251 https://access.redhat.com/errata/RHSA-2018:1251

Comment 11 Doran Moppert 2018-06-19 03:57:42 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1592646]


Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1592647]


Created wildfly tracking bugs for this issue:

Affects: fedora-all [bug 1592645]

Comment 12 errata-xmlrpc 2018-09-04 13:44:55 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643

Comment 14 errata-xmlrpc 2019-04-24 18:46:43 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:0877