Bug 1968074 (CVE-2021-33503)

Summary: CVE-2021-33503 python-urllib3: ReDoS in the parsing of authority part of URL
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amackenz, amasferr, aos-bugs, apevec, aurelien, bbuckingham, bcoca, bcourt, bdettelb, bkearney, bmontgom, btotty, caswilli, chazlett, chousekn, cmeyers, cstratak, davidn, drieden, ehelms, eparis, gblomqui, hhorak, hvyas, infra-sig, jburrell, jcammara, jeremy, jhardy, jjoyce, jnakfour, jobarker, jokerman, jorton, jschluet, jsherril, kaycoth, lbalhar, lhh, lpeer, lzap, mabashia, manisandro, mburns, mhulan, mkudlej, mmccune, myarboro, nmoumoul, notting, nstielau, orabin, osapryki, pcreech, python-maint, rchan, relrod, rfreiman, rjerrido, rpetrell, sclewis, sdoran, slinaber, smcdonal, sokeeffe, sponnaga, tjochec, tkuratom, tomckay, torsava
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: urllib3 1.26.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-urllib3. When provided with a URL containing many @ characters in the authority component, the authority's regular expression exhibits catastrophic backtracking. This flaw causes a denial of service if a URL is passed as a parameter or redirected via an HTTP redirect. The highest threat from this vulnerability is to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-09 00:21:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1973656, 1968075, 1968076, 1968077, 1968487, 1970176, 1970952, 1970953, 1970954, 1970955, 1970956, 1972639, 1973653, 1973654, 1973655, 1973657, 1973658, 1974305    
Bug Blocks: 1968078    

Description Pedro Sampaio 2021-06-04 21:09:18 UTC
When provided with a URL containing many @ characters in the authority component the authority regular expression exhibits catastrophic backtracking causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

References:

https://github.com/advisories/GHSA-q2q7-5pp4-w6pg

Comment 1 Pedro Sampaio 2021-06-04 21:12:33 UTC
Created mingw-python-urllib3 tracking bugs for this issue:

Affects: fedora-34 [bug 1968077]


Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1968076]
Affects: openstack-rdo [bug 1968075]

Comment 2 Yadnyawalk Tale 2021-06-07 12:56:52 UTC
Upstream commit (1.26.x):
https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec

Comment 4 Tapas Jena 2021-06-10 01:38:38 UTC
Analysis is complete for AAP 1.2 and its found that Ansible Tower (urllib3 v1.24.1) and Pulp Core (urllib3 v1.25.11)are using affected version of urllib3 along with vulnerable functionality. However, directly manipulating auth of url here in Pulp may not be possible. Hence, creating trackers as "affected" -> "delegated".

Comment 17 errata-xmlrpc 2021-08-24 08:09:21 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254

Comment 18 errata-xmlrpc 2021-09-08 19:23:24 UTC
This issue has been addressed in the following products:

  Red Hat Automation Hub 4.2 for RHEL 7
  Red Hat Automation Hub 4.2 for RHEL 8

Via RHSA-2021:3473 https://access.redhat.com/errata/RHSA-2021:3473

Comment 19 Product Security DevOps Team 2021-09-09 00:21:21 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33503

Comment 20 errata-xmlrpc 2021-11-09 17:27:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160

Comment 21 errata-xmlrpc 2021-11-09 17:28:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162

Comment 22 errata-xmlrpc 2021-11-16 14:08:18 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702