Bug 1926885 (CVE-2021-21240)

Summary: CVE-2021-21240 python-httplib2: Regular expression denial of service via malicious header
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amctagga, andreas.bierfert, anharris, askrabec, bkearney, bniver, cluster-maint, dbecker, dchen, flucifre, gmeno, gwync, hvyas, igor.raits, jjoyce, jschluet, jspaleta, kaycoth, kevin, lhh, lpeer, mbenjamin, mburns, mcascell, mhackett, oalbrigt, pcahyna, puebele, rhos-maint, sclewis, slinaber, sostapov, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httplib2 0.19.0 Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption flaw as found in python-httplib2, due to a flawed regular expression used while parsing the WWW-Authenticate header in an HTTP response. This flaw allows a malicious or compromised server to reply with a crafted sequence of characters in the WWW-Authenticate header, leading to a denial of service of the httplib2 client accessing the server. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-26 17:32:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1926886, 1929179, 1929408, 1930186, 1931438, 1931550, 1931678    
Bug Blocks: 1926887    

Description Pedro Sampaio 2021-02-09 15:44:37 UTC 
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.

References:

https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc
https://github.com/httplib2/httplib2/pull/182
https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m
https://pypi.org/project/httplib2
Comment 1 Pedro Sampaio 2021-02-09 15:45:15 UTC 
Created python-httplib2 tracking bugs for this issue:

Affects: fedora-all [bug 1926886]
Comment 2 Sage McTaggart 2021-02-09 17:07:02 UTC 
Setting ceph2 to OOSS.
Comment 3 Mauro Matteo Cascella 2021-02-16 11:24:56 UTC 
Created python-httplib2 tracking bugs for this issue:

Affects: epel-7 [bug 1929179]
Comment 5 Mauro Matteo Cascella 2021-02-18 12:00:12 UTC 
External References:

https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m
Comment 7 Mauro Matteo Cascella 2021-02-18 15:34:07 UTC 
Mitigation:

Use strict mode to parse WWW-Authenticate headers. This can be done by setting `httplib2.USE_WWW_AUTH_STRICT_PARSING = True`. Please note, however, that strict mode might lead to bad results in case of ill-formed header values.
Comment 10 Riccardo Schirone 2021-02-22 12:37:20 UTC 
RHUI still uses python2, which does not seem to suffer from the same DoS when searching a string with the flawed regular expression. A ValueError is raised instead, which is caught and re-raised as MalformedHeader exception.
Comment 13 Mauro Matteo Cascella 2021-02-23 17:05:51 UTC 
The flaw exists in the WWW_AUTH_RELAXED regexp pattern `\s*[^ \t\r\n=]+\s*=` used to parse the WWW-Authenticate HTTP response header. As mentioned in the upstream advisory, a long sequence of '\xa0' characters may cause catastrophic backtracking, making the client susceptible to a ReDoS attack when it receives specially crafted responses from a malicious or compromised server.

The main reason is that backtracking requires the regular expression engine to enumerate all possible solutions, which makes the operation very expensive as it has an exponential cost. Therefore, when the server sends a crafted bogus value, the client will take a very long time to parse the response, potentially causing a denial of service.
Comment 15 Anten Skrabec 2021-03-01 20:52:35 UTC 
Statement:

This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the HTTP client. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP 13 python-httplib2 package.
Comment 16 errata-xmlrpc 2021-05-26 11:43:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:2116 https://access.redhat.com/errata/RHSA-2021:2116
Comment 17 Product Security DevOps Team 2021-05-26 17:32:04 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-21240