Bug 1879311 (CVE-2020-8201)

Summary: CVE-2020-8201 nodejs: HTTP request smuggling due to CR-to-Hyphen conversion
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, hhorak, jhouska, jorton, kmullins, mrunge, nodejs-maint, nodejs-sig, scorneli, sgallagh, tchollingsworth, thrcka, tomckay, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 14.11.0, nodejs 12.18.4, llhttp 2.1.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js, where affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This flaw leads to HTTP Request Smuggling as it is a non-standard interpretation of the header. The highest threat from this vulnerability is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-19 20:21:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1878546, 1878547, 1878548, 1878549, 1878550, 1878551, 1879340, 1879341, 1879343, 1879344, 1879345, 1879346    
Bug Blocks: 1878541    

Description Doran Moppert 2020-09-16 01:03:47 UTC 
Affected Node.js versions converted carriage returns in HTTP request headers to a hyphen before parsing. This can lead to HTTP Request Smuggling as it is a non-standard interpretation of the header.

Upstream advisory:

https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
Comment 1 Doran Moppert 2020-09-16 03:00:25 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1879340]
Affects: fedora-all [bug 1879341]


Created nodejs:11/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1879343]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1879344]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1879345]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1879346]
Comment 3 Jason Shepherd 2020-09-17 22:15:46 UTC 
Statement:

NodeJS is included in Red Hat Quay as a dependency of Yarn which is only used while building Red Hat Quay, and not during runtime.
Comment 5 Cedric Buissart 2020-09-21 13:12:34 UTC 
Upstream fix :
https://github.com/nodejs/llhttp/commit/9d9da1d0f18599ceddd8f484df5a5ad694d23361
Comment 24 errata-xmlrpc 2020-10-19 07:47:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4272 https://access.redhat.com/errata/RHSA-2020:4272
Comment 25 Product Security DevOps Team 2020-10-19 20:21:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8201
Comment 27 errata-xmlrpc 2020-11-04 12:32:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:4903 https://access.redhat.com/errata/RHSA-2020:4903
Comment 30 errata-xmlrpc 2020-11-11 13:35:20 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:5086 https://access.redhat.com/errata/RHSA-2020:5086