Bug 1791420 (CVE-2019-16785)
| Summary: | CVE-2019-16785 waitress: HTTP request smuggling through LF vs CRLF handling | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bdettelb, dbecker, hvyas, infra-sig, jjoyce, jschluet, jschorr, kbasil, lhh, lorenzo.gil.sanchez, lpeer, mburns, rbean, sclewis, sisharma, slinaber, tomckay |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | waitress 1.4.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An HTTP-request vulnerability was discovered in Waitress which implemented a "MAY" part of the RFC7230 which states: "Although the line terminator for the start-line and header fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR." Unfortunately, if a front-end server does not process header fields with an LF the same way as it processes those with a CRLF, it can lead to the front-end and the back-end server processing the same HTTP message in two different ways. This vulnerability can lead to a potential for HTTP request smuggling and splitting where Waitress may see two requests, while the front-end server only sees a single HTTP message.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-05 16:32:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1791421, 1791422, 1791423, 1791485, 1791486, 1791487, 1793270, 1793271 | ||
| Bug Blocks: | 1791424 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-01-15 19:38:51 UTC
Created python-waitress tracking bugs for this issue: Affects: epel-all [bug 1791421] Affects: fedora-all [bug 1791422] Affects: openstack-rdo [bug 1791423] While Red Hat Quay declares a dependency on python-waitress, it doesn't appear to be used in the code. Setting the impact to low for Red Hat Quay. It may be fixed in a future version. External References: https://docs.pylonsproject.org/projects/waitress/en/latest/#id6 This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:0720 https://access.redhat.com/errata/RHSA-2020:0720 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16785 Statement: All affected Red Hat products ship but do not use the flawed version of python-waitress. The impact for these products is therefore rated as having a security impact of Low. In Red Hat OpenStack Platform 13, because the flawed code is not used and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP13 python-waitress package. This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420 |