Bug 1941965 (CVE-2021-22890)

Summary: CVE-2021-22890 curl: TLS 1.3 session ticket mix-up with HTTPS proxy host
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amctagga, andrew.slice, anharris, bniver, bodavis, csutherl, dbhole, flucifre, gmeno, gzaronik, hhorak, hvyas, jclere, jorton, jwon, kanderso, kdudka, krathod, luhliari, mbenjamin, mhackett, msekleta, mturk, omajid, paul, pjindal, rwagner, security-response-team, sostapov, svashisht, szappis, vereddy, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.76.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way libcurl handled TLS 1.3 session tickets. A malicious HTTPS proxy could possibly use this flaw to make libcurl resume a TLS session it previously had with the proxy while intending to resume a TLS session with a target server, making it possible for the proxy to perform a man-in-the-middle attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-17 15:04:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1945059, 1945064    
Bug Blocks: 1941974    

Description Marian Rehak 2021-03-23 10:07:15 UTC 
When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed.

Upstream Advisory:

https://curl.se/docs/CVE-2021-22890.html
Comment 3 Tomas Hoger 2021-03-29 21:10:27 UTC 
According to upstream advisory, this issue was introduced via the following commit first included in curl version 7.63.0:

https://github.com/curl/curl/commit/549310e907e

The curl packages in Red Hat Enterprise Linux 8 and earlier, and the httpd24-curl packages in Red Hat Software Collections are based on older curl versions which do not include the mentioned change and are therefore not affected by this issue.

Upstream advisory also notes that this only affects curl versions using OpenSSL as its TLS/SSL backend.  The issue can occur when using TLS 1.3 and HTTPS proxy (and not the traditional HTTP proxy).
Comment 4 Tomas Hoger 2021-03-29 21:12:38 UTC 
Acknowledgments:

Name: the Curl project
Upstream: Mingtao Yang (Facebook)
Comment 6 Tomas Hoger 2021-03-31 10:04:16 UTC 
External References:

https://curl.se/docs/CVE-2021-22890.html
Comment 7 Tomas Hoger 2021-03-31 10:04:56 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 1945059]
Comment 8 Tomas Hoger 2021-03-31 10:12:16 UTC 
Upstream commit:

https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844
Comment 10 errata-xmlrpc 2021-06-17 11:35:56 UTC 
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP8

Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
Comment 11 errata-xmlrpc 2021-06-17 11:45:56 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472
Comment 12 Product Security DevOps Team 2021-06-17 15:04:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22890