Bug 1813447 (CVE-2020-10109)
| Summary: | CVE-2020-10109 python-twisted: HTTP request smuggling when presented with a Content-Length and a chunked Transfer-Encoding header | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | bbuckingham, bcourt, bkearney, bmontgom, btotty, dbecker, dominik.mierzejewski, eclipseo, eparis, hhudgeon, hvyas, jburrell, jjoyce, jokerman, jschluet, kbasil, lhh, lpeer, lzap, mburns, mhroncok, mmccune, nstielau, python-maint, python-sig, rchan, rhos-maint, rjerrido, sclewis, slinaber, sokeeffe, sponnaga, tvignaud |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | twisted 20.3.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in python-twisted-web, where it does not correctly process HTTP requests with both Content-Length and Transfer-Encoding headers. When the requests sent from and to the python-twisted-web are processed by another component that correctly processes HTTP requests, for example, a proxy, back-end, or web application firewall, a remote attacker can use this flaw to perform an HTTP request smuggling attack. This flaw impacts the system differently based on the type of application and the infrastructure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-23 16:31:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1813448, 1813449, 1813450, 1818678, 1818679, 1818681, 1819271, 1819272, 1821421, 1821422, 1821423, 1823598, 1825802 | ||
| Bug Blocks: | 1813453 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-03-13 20:02:33 UTC
Created python-twisted tracking bugs for this issue: Affects: epel-8 [bug 1813450] Affects: fedora-all [bug 1813449] Affects: openstack-rdo [bug 1813448] External References: https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst Removed rhel-6/python-twisted-core and rhel-7/python-twisted-core entries from the affect list because those packages do not contain the vulnerable code. The vulnerability is in the web part of the twisted framework. rhel-6/python-twisted-web is not affected by this flaw because the logic in function headerReceived() is a bit different from the vulnerable version, so even if both Content-Length and Transfer-Encoding are specified, the Transfer-Encoding one will have precedence over the Content-Length. Impact of the flaw set to Important as nowadays it is considered common practice to have a proxy/load-balancer before a web service, so HTTP requests smuggling attacks are more relevant. That said, the kind of impact these flaws can do can vary a lot based on the application, the infrastructure and the configuration. Twisted can be used both as a back-end and as a front-end (e.g. proxy) and this flaw affects both settings. Mitigation: When python-twisted-web is used as the back-end of your infrastructure, you can partially mitigate the problem by ensuring that each request on the front-end component (e.g. proxy) is sent over a separate network connection to the python-twisted-web server. This will prevent interference between different users, but it will not prevent all possible attacks that can be performed, which would vary based on the infrastructure and application in use. First upstream version to introduce this issue is twisted-9.0.0. The first vulnerable commits appears to be: https://github.com/twisted/twisted/commit/54898f28f4bab89cef9ab8f0c78c748b560c4e22 . This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1561 https://access.redhat.com/errata/RHSA-2020:1561 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10109 Statement: Although Red Hat OpenStack Platform packages the flawed code, python-twisted's web.HTTP functionality is not used in the RHOSP environment. For this reason, the RHOSP impact has been lowered to moderate and no update will be provided at this time for the RHOSP python-twisted package . OpenShift Container Platform 4.3 and later includes `python-twisted` as a dependency of `python-prometheus_client` in Ironic container images, however the affected code is not used. Red Hat Satellite uses affected versions of `python-twisted` and `python-twisted-web` modules in Pulp, however, it is not vulnerable since `http` modal of web implementation is not expose in product. Red Hat Satellite may update `python-twisted` and `python-twisted-web` in future. This issue affects the version of python-twisted(embedded in calamari-server) shipped with Red Hat Ceph Storage 2. However, calamari is no longer supported, hence the embedded python-twisted package will not be fixed. |