Bug 2013495 (CVE-2021-41136)

Summary: CVE-2021-41136 rubygem-puma: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: akarol, bbuckingham, bcourt, bkearney, btotty, dmetzger, ehelms, gmccullo, gtanzill, hvyas, jaruga, jfrey, jhardy, jsherril, lzap, mhulan, mmccune, myarboro, nmoumoul, obarenbo, orabin, pcreech, puebele, pvalena, rchan, roliveri, ruby-packagers-sig, simaishi, smallamp, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: puma 5.5.1, puma 4.3.9 Doc Type: If docs needed, set a value
Doc Text:
An HTTP Request Smuggling vulnerability was found in puma. When using puma with a proxy, which forwards LF characters as line endings, an attacker could use this flaw to smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-05 19:26:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2013497, 2016424, 2017334    
Bug Blocks: 2013498    

Description Marian Rehak 2021-10-13 04:34:09 UTC 
Using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Upstream Advisory:

https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Comment 1 Marian Rehak 2021-10-13 04:34:38 UTC 
Created rubygem-puma tracking bugs for this issue:

Affects: fedora-all [bug 2013497]
Comment 2 Yadnyawalk Tale 2021-10-21 13:42:20 UTC 
Upstream patch: 
https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
Comment 3 Yadnyawalk Tale 2021-10-21 13:43:37 UTC 
External references:
https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Comment 6 Jun Aruga 2022-06-02 15:20:09 UTC 
Note the current Fedora rawhide is rubygem-puma-5.5.2-2.fc36 .
https://src.fedoraproject.org/rpms/rubygem-puma
Comment 7 errata-xmlrpc 2022-07-05 14:26:52 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498
Comment 8 Product Security DevOps Team 2022-07-05 19:26:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41136