Bug 1852550 (CVE-2020-15049)

Summary: CVE-2020-15049 squid: Request smuggling and poisoning attack against the HTTP cache
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, bnater, code, huzaifas, jonathansteffan, luhliari, uwe.knop, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid 4.12, squid 5.0.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in squid. A trusted client is able to perform a request smuggling and poison the HTTP cache contents with crafted HTTP(S) request messages. This attack requires an upstream server to participate in the smuggling and generate the poison response sequence. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-30 09:57:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1852551, 1853129, 1853130    
Bug Blocks: 1852556    

Description Guilherme de Almeida Suckevicz 2020-06-30 16:57:52 UTC 
This problem allows a trusted client to perform request smuggling and poison the HTTP cache contents with crafted HTTP(S) request messages. This attack requires an upstream server to participate in the smuggling and generate the poison response sequence. Most popular server software are not vulnerable to participation in this attack.

Reference:
https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5
Comment 1 Guilherme de Almeida Suckevicz 2020-06-30 16:58:07 UTC 
Created squid tracking bugs for this issue:

Affects: fedora-all [bug 1852551]
Comment 2 Huzaifa S. Sidhpurwala 2020-07-02 04:06:36 UTC 
Upstream patches:

Squid 4:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-ea12a34d338b962707d5078d6d1fc7c6eb119a22.patch

Squid 5:
http://www.squid-cache.org/Versions/v5/changesets/squid-5-485c9a7bb1bba88754e07ad0094647ea57a6eb8d.patch
Comment 3 Huzaifa S. Sidhpurwala 2020-07-02 04:06:40 UTC 
External References:

https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5
Comment 13 errata-xmlrpc 2020-09-30 07:01:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4082 https://access.redhat.com/errata/RHSA-2020:4082
Comment 14 Product Security DevOps Team 2020-09-30 09:57:24 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15049
Comment 15 errata-xmlrpc 2020-11-04 03:32:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4743 https://access.redhat.com/errata/RHSA-2020:4743
Comment 16 Eric Christensen 2021-03-30 13:49:33 UTC 
Statement:

This issue has been rated as having moderate security impact, (despite of having a higher CVSS scoring) because the attack requires an upstream server to participate in the smuggling attack and generate the poison response sequence, which is really uncommon because most popular software are not vulnerable to participation in this attack. While the vulnerability does exists in squid, it is not easily exploitable and requires participation of other components on the network.