Bug 1886587 (CVE-2020-13956)
| Summary: | CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, ahenning, aileenc, akoufoud, alazarot, almorale, anstephe, aogburn, aos-bugs, asoldano, atangrin, ataylor, avibelli, bbaranow, bgeorges, bibryam, bmaxwell, bmontgom, brian.stansberry, btofel, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dkreling, dosoudil, drieden, eleandro, eparis, eric.wittmann, etirelli, ganandan, ggaughan, gmalinko, gsmet, gvarsami, hbraun, hhorak, ibek, iweiss, janstey, java-maint, jawilson, jbalunas, jburrell, jcantril, jcoleman, jochrist, jokerman, jolee, jorton, jpallich, jperkins, jschatte, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, loleary, lthon, mnovotny, msochure, msvehla, mszynkie, neugens, nstielau, nwallace, pantinor, pdrozd, pgallagh, pjindal, pmackay, probinso, pskopek, qe-baseos-apps, rguimara, rjaiswal, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sbiarozk, sdaley, sd-operator-metering, sdouglas, sgehwolf, sguilhen, smaestri, spinder, sponnaga, sthorger, swoodman, tcunning, theute, tkirby, tom.jenkinson |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | httpclient 4.5.13, httpclient 5.0.3 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-01-12 18:27:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1887784, 1887785, 1887786, 1887787, 1887788, 1936847, 1936848, 1936849, 1936850, 1936851, 2052905 | ||
| Bug Blocks: | 1886588 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-10-08 20:10:15 UTC
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat Data Grid 7 * Red Hat JBoss AMQ 6 * Red Hat JBoss BPMS 6 * Red Hat JBoss BRMS 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Red Hat AMQ 7 has a low impact, although Artemis uses and distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods Red Hat AMQ Streams has a low impact, although the Kafka cruise control uses and distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods Red Hat Integration Camel K has a low impact, although Camel K distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods Red Hat Integration Service Registry has a low impact, although Apicurio-registry distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods External References: https://www.openwall.com/lists/oss-security/2020/10/08/4 This issue has been addressed in the following products: Red Hat build of Quarkus 1.7.6 Via RHSA-2021:0084 https://access.redhat.com/errata/RHSA-2021:0084 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13956 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2021:0250 https://access.redhat.com/errata/RHSA-2021:0250 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:0246 https://access.redhat.com/errata/RHSA-2021:0246 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:0247 https://access.redhat.com/errata/RHSA-2021:0247 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:0248 https://access.redhat.com/errata/RHSA-2021:0248 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.5 Via RHSA-2021:0327 https://access.redhat.com/errata/RHSA-2021:0327 This issue has been addressed in the following products: RHDM 7.10.0 Via RHSA-2021:0603 https://access.redhat.com/errata/RHSA-2021:0603 This issue has been addressed in the following products: Red Hat Integration - Camel K - Tech-Preview 3 Via RHSA-2021:0811 https://access.redhat.com/errata/RHSA-2021:0811 Statement: In OpenShift Container Platform (OCP) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable httpclient library to authenticated users only. Additionally the vulnerable httpclient library is not used directly in OCP components, therefore the impact by this vulnerability is Low. In OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix. In the Red Hat Enterprise Linux platforms, Maven 35 and 36 are affected via their respective `httpcomponents-client` component. This issue has been addressed in the following products: RHPAM 7.10.1 Via RHSA-2021:1044 https://access.redhat.com/errata/RHSA-2021:1044 This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140 This issue has been addressed in the following products: Red Hat AMQ 7.9.0 Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700 This issue has been addressed in the following products: RHINT Service Registry 2.0.2 GA Via RHSA-2021:4100 https://access.redhat.com/errata/RHSA-2021:4100 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0722 https://access.redhat.com/errata/RHSA-2022:0722 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1860 https://access.redhat.com/errata/RHSA-2022:1860 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1861 https://access.redhat.com/errata/RHSA-2022:1861 This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954 |