Bug 1660998 (CVE-2018-12116)

Summary: CVE-2018-12116 nodejs: HTTP request splitting
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jorton, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 8.14.0, nodejs 6.15.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-22 15:06:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1660999, 1661000, 1666338, 1666339, 1720097, 1720098, 1720099, 1720100    
Bug Blocks: 1661014    

Description Laura Pardo 2018-12-19 19:37:24 UTC 
A flaw was found in Node.js before 6.15.0 and 8.14.0. An HTTP request splitting. If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server. 


References:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
Comment 1 Laura Pardo 2018-12-19 19:37:44 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1661000]
Affects: fedora-all [bug 1660999]
Comment 2 Cedric Buissart 2019-01-15 14:31:08 UTC 
Upstream fixes:

node.js 8 : https://github.com/nodejs/node/commit/513e9747a22
master:     https://github.com/nodejs/node/commit/b961d9fd83c
Comment 6 Sam Fowler 2019-06-13 07:17:49 UTC 
Statement:

The nodejs RPMs shipped in Red Hat OpenShift Container Platform (OCP) versions 3.6 through 3.10 are vulnerable to this flaw because they contain the affected code. Later versions of OCP used nodejs RPMs delivered from Red Hat Software Collections and Red Hat Enterprise Linux channels.
Comment 9 errata-xmlrpc 2019-07-22 13:37:50 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1821 https://access.redhat.com/errata/RHSA-2019:1821
Comment 10 Product Security DevOps Team 2019-07-22 15:06:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-12116