Bug 2130518 (CVE-2022-35256)

Summary: CVE-2022-35256 nodejs: HTTP Request Smuggling due to incorrect parsing of header fields
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caswilli, drieden, fjansen, hhorak, ikanias, jary, jhouska, jkoehler, jorton, kaycoth, mrunge, mvanderw, nodejs-maint, nodejs-sig, rravi, sgallagh, thrcka, tohughes, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: NodeJS 14.20.1, Nodejs 16.17.1, Nodejs 18.9.1, llhttp 6.0.10 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NodeJS due to improper validation of HTTP requests. The llhttp parser in the HTTP module in Node.js does not correctly handle header fields that are not terminated with CLRF. This issue may result in HTTP Request Smuggling. This flaw allows a remote attacker to send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-04 07:33:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2130533, 2130534, 2130536, 2130532, 2130537, 2130538, 2130539, 2130540, 2130541, 2130569, 2130570, 2130571, 2130572, 2130573, 2130574, 2131745, 2131746, 2131747, 2131748, 2131749, 2131750, 2132003, 2132004, 2132732    
Bug Blocks: 2130576    

Description TEJ RATHI 2022-09-28 13:14:24 UTC 
The llhttp parser in the http module in Node.js v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.

Impacts:
All versions of the 18.x, 16.x, and 14.x release lines.
llhttp v6.0.10 contains the fixes that were updated inside Node.js
Comment 1 TEJ RATHI 2022-09-28 13:34:49 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130533]
Affects: fedora-all [bug 2130532]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130537]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130534]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130538]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130539]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130536]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130540]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130541]
Comment 6 errata-xmlrpc 2022-10-17 07:17:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6963 https://access.redhat.com/errata/RHSA-2022:6963
Comment 7 errata-xmlrpc 2022-10-17 07:26:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6964 https://access.redhat.com/errata/RHSA-2022:6964
Comment 9 errata-xmlrpc 2022-10-19 10:11:12 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044
Comment 10 errata-xmlrpc 2022-11-08 11:30:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7821 https://access.redhat.com/errata/RHSA-2022:7821
Comment 11 errata-xmlrpc 2022-11-08 11:33:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7830 https://access.redhat.com/errata/RHSA-2022:7830
Comment 12 Product Security DevOps Team 2022-12-04 07:33:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-35256
Comment 13 errata-xmlrpc 2023-01-23 15:19:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321
Comment 14 errata-xmlrpc 2023-03-30 12:35:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
Comment 15 errata-xmlrpc 2023-04-12 14:58:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742