Bug 1945136 (CVE-2021-28363)

Summary: CVE-2021-28363 python-urllib3: HTTPS proxy host name not validated when using default SSLContext
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, aurelien, bdettelb, bmontgom, cstratak, eparis, hhorak, hvyas, infra-sig, jburrell, jeremy, jjoyce, jorton, jschluet, kaycoth, lbalhar, lhh, lpeer, mburns, metherid, mhroncok, ncoghlan, nstielau, orion, python-maint, python-sig, sclewis, slavek.kabrda, slinaber, sponnaga, steve.traylen, TicoTimo, torsava, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-urllib3 1.26.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-urllib3. SSL certificate validation is omitted in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1945137, 1945138, 1945141, 1945142, 1945271, 1946224, 1946225, 1946227, 1946228    
Bug Blocks: 1945140    

Description Dhananjay Arunesh 2021-03-31 12:25:52 UTC 
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. The initial connection to the HTTPS proxy (if an SSLContext isn't given via proxy_config) doesn't verify the hostname of the certificate. This means certificates for different servers that still validate properly with the default urllib3 SSLContext will be silently accepted.

References:
https://github.com/urllib3/urllib3/commit/8d65ea1ecf6e2cdc27d42124e587c1b83a3118b0
https://github.com/urllib3/urllib3/security/advisories/GHSA-5phf-pp7p-vc2r
https://pypi.org/project/urllib3/1.26.4/
Comment 1 Dhananjay Arunesh 2021-03-31 12:27:40 UTC 
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 1945142]


Created python-pip-epel tracking bugs for this issue:

Affects: epel-7 [bug 1945137]


Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1945141]


Created python3-urllib3 tracking bugs for this issue:

Affects: epel-all [bug 1945138]
Comment 2 Miro Hrončok 2021-03-31 13:07:30 UTC 
Does this affect urllib3 1.25.x?
Comment 6 Tomas Hoger 2021-04-01 09:19:18 UTC 
(In reply to Miro Hrončok from comment #2)
> Does this affect urllib3 1.25.x?

Probably not, as upstream only added support for HTTPS proxies in 1.26.0:

https://github.com/urllib3/urllib3/blob/1.26.0/CHANGES.rst

That's likely the reason why CVE description explicitly mentions 1.26.x:  The urllib3 library 1.26.x before 1.26.4 ...
Comment 7 Tomas Hoger 2021-04-01 21:02:37 UTC 
As support for HTTPS proxies was only added in urllib3 version 1.26.0 (see comment 6 above), earlier versions are not affected by this flaw.  Version 1.26.0 is not yet used in Red Hat Enterprise Linux or Fedora.

Only versions 1.26.0 - 1.26.3 are affected by this issue.
Comment 12 Hardik Vyas 2021-04-08 11:36:00 UTC 
Statement:

* Red Hat OpenShift Container Platform (OCP) 4 delivers the python-urllib3 package which includes a vulnerable version of urllib3 module, however from OCP 4.6 the python-urllib3 package is no longer shipped. OCP 4.5 is out of support scope for Moderate and Low impact vulnerabilities, hence is marked Out Of Support Scope.

* Red Hat CodeReady WorkSpaces 2 and Red Hat Gluster Storage 3 are not affected by this flaw because both the products does not ship a vulnerable version of urllib3.