Bug 1809065 (CVE-2020-8492)
| Summary: | CVE-2020-8492 python: wrong backtracking in urllib.request.AbstractBasicAuthHandler allows for a ReDoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carl, cstratak, dmalcolm, hhorak, jiehuang, jorton, jpyeron, kevin, m.cyprian, mhroncok, mvanderw, pviktori, python-maint, python-sig, rkuska, shcherbina.iryna, slavek.kabrda, steve.traylen, TicoTimo, tomspur, torsava, vstinner |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python 3.8.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An uncontrolled resource consumption vulnerability was discovered in python in the class AbstractBasicAuthHandler, due to the kind of regular expression used while handling an authentication request in the http_error_auth_reqed method. Client applications that use, directly or indirectly, AbstractBasicAuthHandler to connect to a malicious server may be vulnerable to this flaw, which would cause an uncontrolled use of CPU resources on the victim's system, resulting in a Denial of Service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-09-29 21:59:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1809066, 1809067, 1809068, 1809069, 1809071, 1809072, 1809073, 1809074, 1810615, 1810616, 1810617, 1810618, 1810619, 1810620, 1810621, 1810622, 1810623 | ||
| Bug Blocks: | 1809083, 1827852 | ||
|
Description
Marian Rehak
2020-03-02 11:36:24 UTC
Created python2 tracking bugs for this issue: Affects: fedora-all [bug 1809067] Created python3 tracking bugs for this issue: Affects: fedora-all [bug 1809073] Created python34 tracking bugs for this issue: Affects: epel-all [bug 1809068] Affects: fedora-all [bug 1809072] Created python35 tracking bugs for this issue: Affects: fedora-all [bug 1809069] Created python36 tracking bugs for this issue: Affects: epel-7 [bug 1809066] Affects: fedora-all [bug 1809071] Created python38 tracking bugs for this issue: Affects: fedora-all [bug 1809074] Upstream proposed PR: https://github.com/python/cpython/pull/18284 The attack scenario is an attacker, in control of a server, who tries to conduct a Denial of Service attack against a victim client that uses a vulnerable python version. Due to expensive regular expression in AbstractBasicAuthHandler, when the client receives specially crafted responses from a server it may use all the CPU to match the regular expression. This flaw affects python applications that use AbstractBasicAuthHandler, either directly or indirectly (e.g. including HTTPBasicAuthHandler and ProxyBasicAuthHandler). Lowering the Impact of the flaw to Moderate because the attacker needs to perform the attack from a server to a vulnerable client. Thus a client, to be affected, should first connect to either an untrusted server or to a trusted server that was compromised. Another upstream issue (probably a duplicate): https://bugs.python.org/issue38826 Class AbstractBasicAuthHandler uses a particular regular expression with overlapping characters and nested quantifiers which results in a lot of backtracking on some particular subjects. Backtracking requires the regular expression engine to enumerate all possible solutions, which makes the operation very expensive as it has an exponential cost. For this reason, when a malicious server sends a specially crafted 401 response, the client will take a very long time to parse the request, causing a Denial of Service in some applications. Statement: Applications that use AbstractBasicAuthHandler, HTTPBasicAuthHandler and ProxyBasicAuthHandler may be affected by this flaw. Other classes may use the vulnerable method http_error_auth_reqed in AbstractBasicAuthHandler as well. Versions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as notaffected as they just provide "symlinks" to the main python3 component, which provides the actual interpreter of the Python programming language. FEDORA-2020-6a88dad4a0 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-8bdd3fd7a4 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2020-ea5bdbcc90 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:3888 https://access.redhat.com/errata/RHSA-2020:3888 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8492 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4285 https://access.redhat.com/errata/RHSA-2020:4285 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4433 https://access.redhat.com/errata/RHSA-2020:4433 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641 |