Bug 2065086 (CVE-2022-24761)

Summary: CVE-2022-24761 waitress: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agawand, amctagga, anharris, bdettelb, bniver, eglynn, flucifre, gmeno, infra-sig, jjoyce, lhh, lorenzo.gil.sanchez, mbenjamin, mburns, mhackett, rbean, rpittau, security-response-team, sostapov, spower, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: waitress 2.1.1 Doc Type: If docs needed, set a value
Doc Text:
An Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) flaw was found in Waitress when used behind a proxy that does not properly validate the incoming HTTP request. This flaw allows an attacker to smuggle requests via the front-end proxy to Waitress, resulting in a loss of data integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-07 14:27:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2065790, 2065791, 2065792, 2065795, 2065796, 2065797, 2065798, 2065799, 2099298, 2124988, 2124989, 2124990, 2258844    
Bug Blocks: 2065087    

Description TEJ RATHI 2022-03-17 10:36:05 UTC 
When using Waitress behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends.
This would allow requests to be smuggled via the front-end proxy to waitress and later behavior.

Affected Versions <=2.1.0.

References:
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
https://bugs.gentoo.org/835492
Comment 1 Sage McTaggart 2022-03-18 18:03:07 UTC 
Created python-waitress tracking bugs for this issue:

Affects: epel-all [bug 2065791]
Affects: fedora-all [bug 2065790]
Affects: openstack-rdo [bug 2065792]
Comment 3 Yadnyawalk Tale 2022-04-04 14:29:02 UTC 
Upstream fix:
https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
Comment 4 errata-xmlrpc 2022-04-06 09:38:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:1253 https://access.redhat.com/errata/RHSA-2022:1253
Comment 5 errata-xmlrpc 2022-04-06 14:36:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:1254 https://access.redhat.com/errata/RHSA-2022:1254
Comment 6 errata-xmlrpc 2022-04-07 12:05:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 - ELS

Via RHSA-2022:1264 https://access.redhat.com/errata/RHSA-2022:1264
Comment 7 Product Security DevOps Team 2022-04-07 14:27:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-24761