Bug 2120718 (CVE-2022-35252)

Summary: CVE-2022-35252 curl: Incorrect handling of control code characters in cookies
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: csutherl, erik-fedora, jclere, jwon, kdudka, kyoshida, lzaoral, mike, msekleta, mturk, paul, peholase, pjindal, plodge, security-response-team, svashisht, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: curl 7.85.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability found in curl. This security flaw happens when curl is used to retrieve and parse cookies from an HTTP(S) server, where it accepts cookies using control codes (byte values below 32), and also when cookies that contain such control codes are later sent back to an HTTP(S) server, possibly causing the server to return a 400 response. This issue effectively allows a "sister site" to deny service to siblings and cause a denial of service attack.
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 00:50:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2120722, 2120724, 2122881, 2122882    
Bug Blocks: 2120719    

Description Marian Rehak 2022-08-23 15:36:13 UTC
When curl is used to retrieve and parse cookies from an HTTP(S) server, it accepts cookies using control codes (byte values below 32). When cookies that contain such control codes are later sent back to an HTTP(S) server, it might make the server return a 400 response. Effectively allowing a "sister site" to deny service to siblings.

Reference:

https://curl.se/docs/CVE-2022-35252.html

Comment 2 Marian Rehak 2022-08-31 07:02:22 UTC
Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2122881]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2122882]

Comment 4 errata-xmlrpc 2022-12-08 13:07:19 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2022:8840 https://access.redhat.com/errata/RHSA-2022:8840

Comment 5 errata-xmlrpc 2022-12-08 13:22:18 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2022:8841 https://access.redhat.com/errata/RHSA-2022:8841

Comment 6 errata-xmlrpc 2023-05-09 07:52:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2478 https://access.redhat.com/errata/RHSA-2023:2478

Comment 7 errata-xmlrpc 2023-05-16 08:35:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2963 https://access.redhat.com/errata/RHSA-2023:2963

Comment 8 Product Security DevOps Team 2023-05-17 00:50:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-35252

Comment 10 errata-xmlrpc 2024-01-24 16:49:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0428 https://access.redhat.com/errata/RHSA-2024:0428