Bug 1800364 (CVE-2019-15605)

Summary: CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encoding header
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdettelb, dapospis, hhorak, igor.raits, jorton, jschorr, lkundrak, mrunge, nodejs-maint, nodejs-sig, scorneli, scorreia, sgallagh, tchollingsworth, thrcka, tomckay, vascom2, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 10.19.0, nodejs 12.15.0, nodejs 13.8.0, http-parser 2.9.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-24 15:49:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1800371, 1800372, 1800373, 1800374, 1800375, 1800376, 1800377, 1800378, 1800379, 1800380, 1800381, 1802486, 1802487, 1802488, 1802489, 1802490, 1802501, 1803853, 1803854, 1821340    
Bug Blocks: 1800362    

Description Jason Shepherd 2020-02-07 00:12:24 UTC 
Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.

Downloads & release details

* Node.js v10.19.0 (LTS) - https://nodejs.org/en/blog/release/v10.19.0/
* Node.js v12.15.0 (LTS) - https://nodejs.org/en/blog/release/v12.15.0/
* Node.js v13.8.0 (LTS) - https://nodejs.org/en/blog/release/v13.8.0/
Comment 2 Doran Moppert 2020-02-07 00:58:41 UTC 
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1800376]
Comment 5 Jason Shepherd 2020-02-12 00:01:52 UTC 
Also fixed in http-parser-js 2.9.3 see: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b
Comment 6 Jason Shepherd 2020-02-12 23:45:01 UTC 
Actually the commit in the previous comment refers to the 'http-parser' c library that ships in Fedora and RHEL. Not the http-parser-js javascript library as previously mentioned.
Comment 7 Cedric Buissart 2020-02-13 10:21:12 UTC 
Created http-parser tracking bugs for this issue:

Affects: fedora-all [bug 1802501]
Comment 8 Tomas Hoger 2020-02-13 20:37:44 UTC 
External References:

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
Comment 11 Cedric Buissart 2020-02-14 12:14:30 UTC 
HackerOne report (currently not public):
https://hackerone.com/reports/735748

Upstream commits :
* http-parser: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b
* llhttp : https://github.com/nodejs/llhttp/commit/e19af786a172a8ba71a3d13fccc0fd4dfe4b1b94
Comment 14 errata-xmlrpc 2020-02-24 12:53:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0573
Comment 15 Product Security DevOps Team 2020-02-24 15:49:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15605
Comment 16 errata-xmlrpc 2020-02-25 08:36:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0579
Comment 17 errata-xmlrpc 2020-02-25 13:04:38 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0597
Comment 18 errata-xmlrpc 2020-02-25 13:39:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0598 https://access.redhat.com/errata/RHSA-2020:0598
Comment 19 errata-xmlrpc 2020-02-25 15:53:18 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0602 https://access.redhat.com/errata/RHSA-2020:0602
Comment 20 errata-xmlrpc 2020-03-04 12:44:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0703 https://access.redhat.com/errata/RHSA-2020:0703
Comment 21 errata-xmlrpc 2020-03-04 17:17:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0707 https://access.redhat.com/errata/RHSA-2020:0707
Comment 22 errata-xmlrpc 2020-03-04 17:27:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0708 https://access.redhat.com/errata/RHSA-2020:0708
Comment 25 errata-xmlrpc 2020-04-21 11:14:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1510 https://access.redhat.com/errata/RHSA-2020:1510