Bug 1790277 (CVE-2019-20372)
Summary: | CVE-2019-20372 nginx: HTTP request smuggling in configurations with URL redirect used as error_page | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | affix, apmukher, athmanem, bnater, btarraso, cmoore, dmetzger, gandavar, gblomqui, gmainwar, gmccullo, gtanzill, hhorak, jeremy, jfrey, jhardy, jkaluza, jlaska, jorton, jshepherd, kaycoth, kdixon, kwalsh, luhliari, mmello, obarenbo, pavel.lisy, peter.borsa, roliveri, simaishi, smallamp, wtogami, ytale |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nginx 1.17.7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-07-02 19:27:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1790278, 1790280, 1790494, 1790495, 1795545, 1795546, 1798229, 1798230, 1798231, 1798232, 1798233, 1848449, 1888154, 1898952, 1936716 | ||
Bug Blocks: | 1790279 |
Description
Pedro Sampaio
2020-01-13 02:36:43 UTC
Created nginx tracking bugs for this issue: Affects: fedora-all [bug 1790278] Created nginx tracking bugs for this issue: Affects: epel-all [bug 1790280] We don't use nginx directly in CloudForms 5.11, that came to CFME as 'ansible-tower-server' dependency. We don't use that RPM anymore, the only RPM we take from Tower is 'ansible-tower-venv-ansible' so cfme-5.11 is not vulnerable. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2817 https://access.redhat.com/errata/RHSA-2020:2817 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20372 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5495 https://access.redhat.com/errata/RHSA-2020:5495 This issue has been addressed in the following products: Red Hat Ansible Tower 3.7 for RHEL 7 Via RHSA-2021:0779 https://access.redhat.com/errata/RHSA-2021:0779 This issue has been addressed in the following products: Red Hat Ansible Tower 3.6 for RHEL 7 Via RHSA-2021:0778 https://access.redhat.com/errata/RHSA-2021:0778 Mitigation: To mitigate this issue, use a named location instead of having the error_page handler do the redirect, this configuration is not vulnerable to request smuggling on all versions of NGINX we tested. server { listen 80; server_name localhost; error_page 401 @401; location / { return 401; } location @401 { return 302 http://example.org; } } Statement: Ansible Tower 3.5 and 3.6 are not vulnerable by default as are not using error_page variable in the nginx configuration. However, Ansible Tower 3.5 and 3.6 are distributing nginx 1.14 and 1.16 vulnerable versions as a dependency and configuration could be modified making it vulnerable. Red Hat CloudForms Management Engine 5.9 and 5.10 are not vulnerable by default as are not using error_page variable in the nginx configuration. However, both mentioned builds ships vulnerable nginx versions 1.10 and 1.14 respectively. CloudForms 5.11 does not use nginx directly hence it is not vulnerable. Red Hat Quay's configuration of nginx means it's not affected by this issue. It doesn't use error_page to do a 302 redirect. It's only use of error_page uses a named location ie: error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } |