Bug 1941965 (CVE-2021-22890)
Summary: | CVE-2021-22890 curl: TLS 1.3 session ticket mix-up with HTTPS proxy host | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | amctagga, andrew.slice, anharris, bniver, bodavis, csutherl, dbhole, flucifre, gmeno, gzaronik, hhorak, hvyas, jclere, jorton, jwon, kanderso, kdudka, krathod, luhliari, mbenjamin, mhackett, msekleta, mturk, omajid, paul, pjindal, rwagner, security-response-team, sostapov, svashisht, szappis, vereddy, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | curl 7.76.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the way libcurl handled TLS 1.3 session tickets. A malicious HTTPS proxy could possibly use this flaw to make libcurl resume a TLS session it previously had with the proxy while intending to resume a TLS session with a target server, making it possible for the proxy to perform a man-in-the-middle attack.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-06-17 15:04:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1945059, 1945064 | ||
Bug Blocks: | 1941974 |
Description
Marian Rehak
2021-03-23 10:07:15 UTC
According to upstream advisory, this issue was introduced via the following commit first included in curl version 7.63.0: https://github.com/curl/curl/commit/549310e907e The curl packages in Red Hat Enterprise Linux 8 and earlier, and the httpd24-curl packages in Red Hat Software Collections are based on older curl versions which do not include the mentioned change and are therefore not affected by this issue. Upstream advisory also notes that this only affects curl versions using OpenSSL as its TLS/SSL backend. The issue can occur when using TLS 1.3 and HTTPS proxy (and not the traditional HTTP proxy). Acknowledgments: Name: the Curl project Upstream: Mingtao Yang (Facebook) External References: https://curl.se/docs/CVE-2021-22890.html Created curl tracking bugs for this issue: Affects: fedora-all [bug 1945059] This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22890 |