Bug 1964887 (CVE-2021-22898)
| Summary: | CVE-2021-22898 curl: TELNET stack contents disclosure | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | msiddiqu |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | amctagga, andrew.slice, anharris, bniver, bodavis, dbhole, erik-fedora, flucifre, gmeno, hhorak, hvyas, jorton, kanderso, kaycoth, kdudka, luhliari, lvaleeva, mbenjamin, mhackett, micjohns, mike, msekleta, omajid, paul, rwagner, sostapov, svashisht, vereddy, vmugicag |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | curl 7.77.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the way curl handled telnet protocol option for sending environment variables, which could lead to sending of uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 22:54:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1971270, 1964913, 1964923, 1964924, 1970905, 1970906, 1971264, 1971265, 1971266, 1971267, 1971268, 1971269 | ||
| Bug Blocks: | 1964912 | ||
|
Description
msiddiqu
2021-05-26 09:35:42 UTC
Upstream advisory: https://curl.se/docs/CVE-2021-22898.html Upstream commit: https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde Created curl tracking bugs for this issue: Affects: fedora-all [bug 1964923] Created mingw-curl tracking bugs for this issue: Affects: fedora-all [bug 1964924] This issue can only be triggered when curl is using the telnet protocol. It also requires that curl is configured (using the -t / --telnet-option command line option for the curl command line tool, or using the libcurl library's CURLOPT_TELNETOPTIONS option) to send NEW_ENV telnet option with long (more than 127 characters) environment variable name or value. If server requests curl to send environment variables during the telnet connection handshake, a limited amount of curl's stack memory is included in the response sent to the server. Telnet server can not trigger this flaw without this required curl configuration. In affected configurations, the leak is triggered by a non-malicious telnet server, it's sufficient to the server to ask client to send environment variables. HackerOne report: https://hackerone.com/reports/1176461 @thoger I'm seeing that all of our curl versions are < 7.7. Is this CVE relevant to us. (In reply to Michael Johnson from comment #9) > I'm seeing that all of our curl versions are < 7.7. Versions as 7.61.1 (RHEL-8), 7.29.0 (RHEL-7), 7.19.7 (RHEL-6), and 7.15.5 (RHEL-5) are all > 7.7. Do not confuse 7.7 with 7.70 or 7.77. 7.7 was released back in 2001 - it's really ancient and older versions are not likely to be used anywhere these days. https://curl.se/changes.html#7_7 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4511 https://access.redhat.com/errata/RHSA-2021:4511 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22898 |