Bug 2108396 (CVE-2022-2466)

Summary: CVE-2022-2466 smallrye-graphql: Request Context not terminated with GraphQL
Product: [Other] Security Response Reporter: Paramvir jindal <pjindal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: avibelli, bgeorges, chazlett, clement.escoffier, dandread, dkreling, gsmet, hamadhan, jochrist, jwon, krathod, lthon, mszynkie, peholase, pgallagh, pjindal, probinso, rruss, rsvoboda, sbiarozk, sdouglas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Quarkus 2.10.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-30 08:55:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2108393, 2108407    

Description Paramvir jindal 2022-07-19 01:31:01 UTC 
https://github.com/quarkusio/quarkus/issues/26748

Expected behavior
Everytime a new Request is performed by a client, the Request headers should be inline with the actual HTTP Request

Actual behavior
With 2.10.x the first request headers became like cached value and any subsequent request headers will contain those instead of the actual headers

How to Reproduce?
    create an app with Quarkus 2.10.1 - 2.10.2 and the smallrye graphql extension
    create an endpoint or a bean injecting RoutingContext
    set some HTTP headers like Authorization, MyCustomHeader etc and send the http request
    print RoutingContext.request().headers
    set others HTTP headers or remove the previous and send the new http request
    the second request headers will contain first request data also if you did not send them
    7 ) switch to quarkus 2.9.x and will work as expected
Comment 3 Paramvir jindal 2022-07-19 08:08:20 UTC 
Marking RHBQ as not affected because this issue affects only upstream Quarkus 2.10.1 - 2.10.2 and not the RHBQ counterpart which atm based on version 2.7.6.Final.
Comment 4 Guillaume Smet 2022-07-19 09:32:41 UTC 
Just to clarify: it affects 2.10.0.CR1 and 2.10.0.Final too. I don't mind us not communicating about CR1 but please include the .0.Final in the affected versions.

Thanks!
Comment 5 Guillaume Smet 2022-07-27 19:10:40 UTC 
Unfortunately, the fix we introduced in 2.10.3.Final and 2.11.0.Final was incomplete and these versions are still affected by the issue.

Quarkus 2.10.4.Final and 2.11.1.Final have been released to completely fix the issue: https://quarkus.io/blog/quarkus-2-11-1-final-released/ .
Comment 6 Guillaume Smet 2022-08-05 07:34:46 UTC 
Unfortunately, the problem is still not fix.

I will follow up here once we are completely positive the issue is fixed.
Comment 7 Product Security DevOps Team 2022-08-30 08:55:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2466