Bug 1789807 (CVE-2019-16789)
Summary: | CVE-2019-16789 waitress: HTTP Request Smuggling through Invalid whitespace characters in headers | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bdettelb, dbecker, hvyas, infra-sig, jjoyce, jschluet, jschorr, kbasil, lhh, lorenzo.gil.sanchez, lpeer, mburns, rbean, sclewis, sisharma, slinaber, slong, tomckay |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | waitress 1.4.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
An HTTP-interpretation flaw was found in waitress, through version 1.4.0. If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server, an HTTP request splitting could occur which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation. The highest threat from this vulnerability is data integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-03-05 16:31:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1789809, 1789810, 1790771, 1790772, 1790774, 1790780, 1791027, 1791028 | ||
Bug Blocks: | 1789811 |
Description
Pedro Sampaio
2020-01-10 13:38:49 UTC
Created python-waitress tracking bugs for this issue: Affects: epel-all [bug 1789810] Affects: fedora-all [bug 1789809] External References: https://docs.pylonsproject.org/projects/waitress/en/latest/#id2 While Red Hat Quay declares a dependency on python-waitress, it doesn't appear to be used in the code. Setting the impact to low for Red Hat Quay. It may be fixed in a future version. Created python-waitress tracking bugs for this issue: Affects: openstack-rdo [bug 1790780] This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:0720 https://access.redhat.com/errata/RHSA-2020:0720 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16789 Statement: All affected Red Hat products ship but do not use the flawed version of python-waitress. The impact for these products is therefore rated as having a security impact of Low. For Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP13 python-waitress package. This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420 |