Bug 2032569 (CVE-2021-43818)

Summary: CVE-2021-43818 python-lxml: HTML Cleaner allows crafted and SVG embedded scripts to pass through
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, bbuckingham, bcoca, bcourt, bkearney, btotty, caswilli, cmeyers, davidn, dbecker, ehelms, fjansen, gblomqui, hhorak, igor.raits, jcammara, jhardy, jjoyce, jobarker, jorton, jpopelka, jschluet, jsherril, kaycoth, lhh, lpeer, lzap, mabashia, manisandro, mburns, me, mhulan, mizdebsk, mmccune, myarboro, nmoumoul, notting, orabin, osapryki, pcreech, python-maint, rchan, relrod, rpetrell, sclewis, scorneli, sdoran, slinaber, smcdonal, tkuratom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-lxml 4.6.5 Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in python-lxml's HTML Cleaner component, which is responsible for sanitizing HTML and Javascript. An attacker who is able to submit a crafted payload to a web service using python-lxml's HTML Cleaner may be able to trigger script execution in clients such as web browsers. This can occur because the HTML Cleaner did not remove scripts within SVG images in data URLs such as <img src="">. XSS can result in impacts to the integrity and availability of the web page, as well as a potential impact to data confidentiality in some circumstances.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-11 22:46:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2034590, 2034591, 2032571, 2032572, 2033024, 2033115, 2033116, 2033117, 2033118, 2033119, 2033120, 2034288, 2034592, 2034593, 2064446    
Bug Blocks: 2032570    

Description Guilherme de Almeida Suckevicz 2021-12-14 18:02:39 UTC 
lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available.

Reference:
https://github.com/lxml/lxml/security/advisories/GHSA-55x5-fj6c-h6m8

Upstream patches:
https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0
https://github.com/lxml/lxml/commit/a3eacbc0dcf1de1c822ec29fb7d090a4b1712a9c#diff-59130575b4fb2932c957db2922977d7d89afb0b2085357db1a14615a2fcad776
https://github.com/lxml/lxml/commit/12fa9669007180a7bb87d990c375cf91ca5b664a
Comment 1 Guilherme de Almeida Suckevicz 2021-12-14 18:04:40 UTC 
Created mingw-python-lxml tracking bugs for this issue:

Affects: fedora-all [bug 2032571]


Created python-lxml tracking bugs for this issue:

Affects: fedora-all [bug 2032572]
Comment 4 Yadnyawalk Tale 2021-12-15 18:41:27 UTC 
RHUI 4 does not use lxml directly, it's pulp' dependency. Pulp uses lxml.etree but that is not vul here. Following location use lxml.html but clean_html not being used anywhere. RHUI is not vulnerable in code.
https://github.com/pulp/pulp/blob/308d164420ac489e030a7a6488ff6712d7de44f6/playpen/metadata/updatemetadata_lxml.py#L7
Comment 9 Tapas Jena 2021-12-21 12:12:19 UTC 
Creating the missing affect for Ansible Automation Platform 2.0
Comment 10 Tapas Jena 2021-12-21 12:28:16 UTC 
Analysis is complete for Ansible and its components and it was found that though Ansible Tower (now Controller)/AWX uses the vulnerable version of lxml [1] , It doesn't use the vulnerable function i.e. clean_html anywhere [2]. However, to be safer side, its always better to upgrade the secure version of lxml (i.e. 4.6.x, current version is 4.5) in this case to avoid introduction of such vulnerable functionality in future until and unless there is no backward compatibility or hard dependency with current version.
 
Hence, marking the Ansible components as Affected --> delegated and creating the required trackers.

[1] https://github.com/ansible/tower/blob/a206d7985124960a4e408a0c647617dbb1776433/requirements/requirements.txt#L196 

[2] https://github.com/ansible/ansible/blob/2cbfd1e350cbe1ca195d33306b5a9628667ddda8/lib/ansible/plugins/netconf/__init__.py#L43
Comment 16 errata-xmlrpc 2022-05-02 08:05:45 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:1664 https://access.redhat.com/errata/RHSA-2022:1664
Comment 17 errata-xmlrpc 2022-05-10 13:18:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1763 https://access.redhat.com/errata/RHSA-2022:1763
Comment 18 errata-xmlrpc 2022-05-10 13:18:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1764 https://access.redhat.com/errata/RHSA-2022:1764
Comment 19 errata-xmlrpc 2022-05-10 13:39:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1821 https://access.redhat.com/errata/RHSA-2022:1821
Comment 20 errata-xmlrpc 2022-05-10 14:22:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1932 https://access.redhat.com/errata/RHSA-2022:1932
Comment 21 Product Security DevOps Team 2022-05-11 22:46:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-43818
Comment 22 errata-xmlrpc 2022-07-05 14:27:20 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498