Bug 1849734 (CVE-2020-13962)
Summary: | CVE-2020-13962 qt5: incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | chkr, helio, j.golderer, jgrulich, johnhatestrash, rdieter |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | QT 5.12.9, QT 5.14.3, QT 5.15.0 Beta4 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 02:26:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1849735, 1849737, 1851538 | ||
Bug Blocks: | 1849738 |
Description
Michael Kaplan
2020-06-22 16:58:27 UTC
Created mumble tracking bugs for this issue: Affects: fedora-all [bug 1849735] Created qt5 tracking bugs for this issue: Affects: fedora-all [bug 1849737] Technical Summary: qt5-qtbase calls q_SSL_shutdown() in QSslSocketBackendPrivate::destroySslContext() from src/network/ssl/qsslsocket_openssl.cpp without checking that it is not in the middle of an SSL handshake. Calling q_SSL_shutdown() during a handshake creates an OpenSSL error that is not handled by Qt5, and closes connections, even in other QsslSockets. > Error while reading: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init [20] The patch introduces a function q_SSL_in_init() to ensure there is no active handshake and checks for any SSL errors before calling q_SSL_shutdown(). This flaw could lead to a denial of service in both the connection that called q_SSL_shutdown() and any other open connections with other clients. In order for an application to be vulnerable, it would need to utilize the SSL/TLS functionality of qt5-qtcore 5.12.2 through 5.14.2 Upstream patch: https://codereview.qt-project.org/c/qt/qtbase/+/297149 Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13962 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4690 https://access.redhat.com/errata/RHSA-2020:4690 |