Bug 1789807 (CVE-2019-16789)

Summary: CVE-2019-16789 waitress: HTTP Request Smuggling through Invalid whitespace characters in headers
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdettelb, dbecker, hvyas, infra-sig, jjoyce, jschluet, jschorr, kbasil, lhh, lorenzo.gil.sanchez, lpeer, mburns, rbean, sclewis, sisharma, slinaber, slong, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: waitress 1.4.1 Doc Type: If docs needed, set a value
Doc Text:
An HTTP-interpretation flaw was found in waitress, through version 1.4.0. If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server, an HTTP request splitting could occur which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation. The highest threat from this vulnerability is data integrity.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-05 16:31:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1789809, 1789810, 1790771, 1790772, 1790774, 1790780, 1791027, 1791028    
Bug Blocks: 1789811    

Description Pedro Sampaio 2020-01-10 13:38:49 UTC
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation. 

Upstream patch:

https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017

References:

https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4

Comment 1 Pedro Sampaio 2020-01-10 13:39:18 UTC
Created python-waitress tracking bugs for this issue:

Affects: epel-all [bug 1789810]
Affects: fedora-all [bug 1789809]

Comment 2 Summer Long 2020-01-14 06:11:49 UTC
External References:

https://docs.pylonsproject.org/projects/waitress/en/latest/#id2

Comment 6 Jason Shepherd 2020-01-14 07:23:17 UTC
While Red Hat Quay declares a dependency on python-waitress, it doesn't appear to be used in the code. Setting the impact to low for Red Hat Quay. It may be fixed in a future version.

Comment 8 Summer Long 2020-01-14 07:25:27 UTC
Created python-waitress tracking bugs for this issue:

Affects: openstack-rdo [bug 1790780]

Comment 14 errata-xmlrpc 2020-03-05 11:57:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2020:0720 https://access.redhat.com/errata/RHSA-2020:0720

Comment 15 Product Security DevOps Team 2020-03-05 16:31:54 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16789

Comment 16 Summer Long 2021-01-14 05:43:15 UTC
Statement:

All affected Red Hat products ship but do not use the flawed version of python-waitress. The impact for these products is therefore rated as having a security impact of Low.

For Red Hat OpenStack Platform 13,  because the flaw has a lower impact and  the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP13 python-waitress package.

Comment 17 errata-xmlrpc 2021-02-04 16:14:26 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420