Bug 2105428 (CVE-2022-32214)

Summary: CVE-2022-32214 nodejs: HTTP request smuggling due to improper delimiting of header fields
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jorton, mrunge, nodejs-maint, nodejs-sig, sgallagh, thrcka, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 14.20.0, nodejs 16.20.0, nodejs 18.5.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NodeJS due to the llhttp parser in the http module not strictly using the CRLF sequence to delimit HTTP requests. This issue can lead to HTTP Request Smuggling (HRS). This flaw allows an attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers, causing web cache poisoning, and conducting XSS attacks.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-30 08:29:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2108496, 2108498, 2108500, 2108066, 2108067, 2108068, 2108069, 2108070, 2108502, 2108504, 2108505, 2108506, 2108507, 2108508, 2109531, 2109582, 2109583, 2109584, 2121023    
Bug Blocks: 2105423    

Description Sage McTaggart 2022-07-08 18:46:25 UTC
CVE-2022-32214

The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32214 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

All versions of the 18.x, 16.x, and 14.x releases lines.
llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js

Comment 2 TEJ RATHI 2022-07-19 08:17:35 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108496]
Affects: fedora-all [bug 2108502]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108504]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108498]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108505]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108506]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108500]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108507]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108508]

Comment 4 errata-xmlrpc 2022-09-08 07:42:40 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389

Comment 5 errata-xmlrpc 2022-09-13 09:44:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448

Comment 6 errata-xmlrpc 2022-09-13 09:44:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449

Comment 7 errata-xmlrpc 2022-09-20 12:24:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595

Comment 9 errata-xmlrpc 2022-10-18 08:18:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985

Comment 10 Product Security DevOps Team 2022-11-30 08:29:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32214