Bug 1946341 (CVE-2021-22696)
| Summary: | CVE-2021-22696 cxf: OAuth 2 authorization service vulnerable to DDos attacks | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, aschwart, asoldano, aszczucz, atangrin, avibelli, bbaranow, bgeorges, bibryam, bmaxwell, bmontgom, boliveir, brian.stansberry, bstansbe, cdewolf, chazlett, cmario92, cmoulliard, csutherl, darran.lofthouse, dfreiber, dhanak, dkreling, dlofthou, dosoudil, drichtar, drieden, drosa, drow, dsoumis, eleandro, eparis, etirelli, fjuma, ggaughan, gmalinko, gvarsami, gzaronik, hbraun, ibek, ikanello, istudens, ivassile, iweiss, janstey, jburrell, jcantril, jclere, jcoleman, jnethert, jochrist, jokerman, jolee, jpallich, jperkins, jrokos, jschatte, jstastny, jwon, krathod, kverlaen, kwills, ldimaggi, lgao, lthon, mnovotny, mosmerov, mposolda, msochure, msvehla, mszynkie, nstielau, nwallace, pantinor, pberan, pdelbell, pdrozd, peholase, pesilva, pgallagh, pjindal, plodge, pmackay, rguimara, rmartinc, rmaucher, rrajasek, rruss, rstancel, rstepani, rsvoboda, rwagner, sausingh, smaestri, sponnaga, ssilvert, sthorger, szappis, tcunning, thjenkin, tkirby, tom.jenkinson, tzimanyi, vdosoudi, vkumar, vmuzikar, yborgess |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | cxf-3.3.10 cxf-3.4.3 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-12-14 22:05:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1946342 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-04-05 20:05:29 UTC
Looking at the binary from here: http://cxf.apache.org/download.html apache-cxf-3.4.3]$ grep -r JwtRequestCodeFilter Binary file lib/cxf-rt-rs-security-oauth2-3.4.3.jar matches That makes sense given that it's a DoS in the OAuth service. Based on this OpenShift products do not package cxf-rt-rs-security-oauth2 at all, so marking logging-elasticsearch containers as not affected. External References: https://cxf.apache.org/security-advisories.data/CVE-2021-22696.txt.asc I believe the upstream fix is to disable request_uri: - https://github.com/apache/cxf/commit/7d5d2c7a019dd1e1d0566daf9f1ed5b7b0dd66b7 Especially given: This method must be overridden to support request_uri. Take care to validate the request_uri properly, * as otherwise it could lead to a security problem * (https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-30#section-10.4) And possibly also to ensure both request_uri and request can't exist together: - https://github.com/apache/cxf/commit/aee3bf291a7387cc492aa0dbdb0fb2af96687994 Addition to comment #1 OpenShift 3.11 openshift3/ose-logging-elasticsearch5 does not have any reference to the cxf package and hence isn't added to the affects whiteboard, just openshift 4. This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22696 Issue persists with fuse - 3.3.6.fuse-7_10_0-00022-redhat-00001. Can someone confirm if the issue was resolved? This issue has been addressed in the following products: JWS 5.7.0 Via RHSA-2022:7273 https://access.redhat.com/errata/RHSA-2022:7273 |