Bug 1901304 (CVE-2020-27782)
| Summary: | CVE-2020-27782 undertow: special character in query results in server errors | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Chess Hazlett <chazlett> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, ahenning, aileenc, akoufoud, alazarot, almorale, anstephe, antcosta, asoldano, atangrin, avibelli, bbaranow, bgeorges, bibryam, bmaxwell, bperkins, brian.stansberry, cdewolf, chazlett, clement.escoffier, cmoulliard, cmoullia, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, eaguilar, eleandro, eric.wittmann, etirelli, frainone, ganandan, ggaughan, ggrzybek, gmalinko, gsmet, hamadhan, hbraun, ibek, ikanello, iweiss, janstey, jawilson, jclere, jjoyce, jnethert, jochrist, jpallich, jperkins, jschluet, jstastny, jwon, krathod, kverlaen, kwills, lgao, lhh, lpeer, lthon, mburns, mkolesni, mnovotny, msochure, msvehla, mszynkie, nwallace, pantinor, pdrozd, pgallagh, pjindal, pmackay, probinso, pskopek, rfreire, rguimara, rrajasek, rruss, rstancel, rsvoboda, rsynek, sbiarozk, sclewis, scohen, sdaley, sdouglas, security-response-team, sguilhen, slinaber, smaestri, sthorger, tom.jenkinson |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://issues.redhat.com/browse/JBEAP-20675 https://issues.redhat.com/browse/QUARKUS-599 https://issues.redhat.com/browse/ENTSWM-947 https://issues.redhat.com/browse/JDG-4237 https://issues.redhat.com/browse/ENTSBT-884 https://issues.redhat.com/browse/KEYCLOAK-16563 https://issues.redhat.com/browse/ENTESB-15427 https://issues.redhat.com/browse/ENTESB-15428 https://issues.redhat.com/browse/ENTESB-15429 |
||
| Whiteboard: | |||
| Fixed In Version: | Undertow 2.1.5.SP1, Undertow 2.0.33.SP2, Undertow 2.2.3.SP1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-01-25 16:47:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1901234 | ||
|
Description
Chess Hazlett
2020-11-24 19:48:03 UTC
The description is wrong, that is not a mod_cluster bug that is a general AJP problem, it affects mod_jk and mod_proxy_ajp. The work-around is easy: use HTTP/1.1 instead AJP to proxy to the back-end. I confirm the problem is for example in https://github.com/apache/httpd/blob/trunk/modules/proxy/ajp_header.c#L327 The query string is copied to AJP payload without any checks. and the same for mod_jk see https://github.com/apache/tomcat-connectors/blob/master/native/apache-2.0/mod_jk.c#L969 The checks can also be done in the AJP of tomcat/undertow to reject URL/query string that are not conforming to RFC 7230 and RFC 398. The problem needs to be reported to the ASF httpd and tomcat security lists for further investigations. Also note that only undertow seems to create a deny of service because it doesn't return anything to httpd and close the session abruptly and that marks the node as broken. Tomcat AJP just wrongly process the illegal request so it is up to the webapp to process the query string and reject it. Also a note from https://issues.redhat.com/browse/JBCS-1019: "Note that the AJP issue was discovered by Richard Opalka <ropalka>" Mitigation: The issue can be mitigated by using HTTP/1.1 instead of AJP to proxy to the back-end. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2021:0250 https://access.redhat.com/errata/RHSA-2021:0250 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:0246 https://access.redhat.com/errata/RHSA-2021:0246 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:0247 https://access.redhat.com/errata/RHSA-2021:0247 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:0248 https://access.redhat.com/errata/RHSA-2021:0248 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27782 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.5 Via RHSA-2021:0327 https://access.redhat.com/errata/RHSA-2021:0327 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2021:0295 https://access.redhat.com/errata/RHSA-2021:0295 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:3207 https://access.redhat.com/errata/RHSA-2021:3207 This issue has been addressed in the following products: Red Hat support for Spring Boot 2.3.10 Via RHSA-2021:3425 https://access.redhat.com/errata/RHSA-2021:3425 This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134 |