Bug 2100563 (CVE-2022-2255)

Summary: CVE-2022-2255 mod_wsgi: Trusted Proxy Headers Removing Bypass
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carl, hhorak, jburrell, jkaluza, jorton, lewk, luhliari, mrunge, orion
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mod_wsgi 4.9.3 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy, allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2108263, 2108264, 2108265, 2108266, 2108267, 2108268, 2108272, 2108273    
Bug Blocks: 2097484, 2102350    

Description Guilherme de Almeida Suckevicz 2022-06-23 17:37:59 UTC
A vulnerability was found in mod_wsgi. The X-Client-IP header is not removed from a request from an untrusted proxy (trusted proxies are configured via the WSGITrustedProxies directive) allowing an attacker to pass the X-Client-IP header to the target WSGI application because the condition to remove it is missing.

References:
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L13940-L13941
https://github.com/GrahamDumpleton/mod_wsgi/blob/4.9.2/src/server/mod_wsgi.c#L14046-L14082

Comment 2 Guilherme de Almeida Suckevicz 2022-07-18 17:55:45 UTC
Upstream patch:
https://github.com/GrahamDumpleton/mod_wsgi/commit/af3c0c2736bc0b0b01fa0f0aad3c904b7fa9c751

Comment 3 Guilherme de Almeida Suckevicz 2022-07-18 18:00:15 UTC
Created mod_wsgi tracking bugs for this issue:

Affects: fedora-all [bug 2108273]


Created python3-mod_wsgi tracking bugs for this issue:

Affects: epel-7 [bug 2108272]