Bug 2003175 (CVE-2021-22946)

Summary: CVE-2021-22946 curl: Requirement to use TLS not properly enforced for IMAP, POP3, and FTP protocols
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: 18238481715, amctagga, andrew.slice, anharris, bdettelb, bniver, bodavis, caswilli, csutherl, dbhole, fjansen, flucifre, gkamathe, gmeno, gzaronik, hhorak, hvyas, jclere, jnakfour, jorton, jreznik, jwong, jwon, kanderso, kaycoth, kdudka, krathod, kyoshida, luhliari, lvaleeva, mbenjamin, mhackett, msekleta, mthacker, mturk, omajid, paul, pjindal, psegedy, rwagner, security-response-team, sostapov, svashisht, szappis, vereddy, vkumar, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.79.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in curl. This flaw lies in the --ssl-reqd option or related settings in libcurl. Users specify this flag to upgrade to TLS when communicating with either IMAP, POP3 or a FTP server. An attacker controlling such servers could return a crafted response which could lead to curl client continue its operation without TLS encryption leading to data being transmitted in clear text over the network. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 14:08:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2003661, 2003662, 2003663, 2003664, 2003665, 2003725, 2003726, 2003727, 2003728, 2004649, 2004927, 2038281, 2044195    
Bug Blocks: 2001529    

Description Marian Rehak 2021-09-10 14:11:33 UTC 
A user can tell curl to **require** a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (`--ssl-reqd` on the command line or
`CURLOPT_USE_SSL` set to `CURLUSESSL_CONTROL` or `CURLUSESSL_ALL` with libcurl). This requirement can be bypassed. This flaw would then make curl silently continue its operations **without TLS** contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

Upstream Advisory:

https://curl.se/docs/CVE-2021-22946.html
Comment 6 gkamathe 2021-09-16 13:04:10 UTC 
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2004927]
Comment 7 errata-xmlrpc 2021-11-02 08:43:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4059 https://access.redhat.com/errata/RHSA-2021:4059
Comment 8 Product Security DevOps Team 2021-11-02 14:08:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22946
Comment 16 errata-xmlrpc 2022-02-22 15:54:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0635 https://access.redhat.com/errata/RHSA-2022:0635
Comment 17 errata-xmlrpc 2022-04-13 14:29:11 UTC 
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2022:1354 https://access.redhat.com/errata/RHSA-2022:1354