Bug 2133687 (CVE-2022-31629)

Summary: CVE-2022-31629 php: standard insecure cookie could be treated as a '__Host-' or '__Secure-' cookie by PHP applications
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fedora, hhorak, jorton, mhoward, rcollet
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php 7.4.31, php 8.0.25 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in PHP due to the way PHP handles HTTP variable names. It interferes with HTTP variable names that clash with ones that have a specific semantic meaning. This vulnerability allows network and same-site attackers to set a standard insecure cookie in the victim's browser, which is treated as a `__Host-` or `__Secure-` cookie by PHP applications, posing a threat to data integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-17 01:45:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2133691, 2135291, 2135293, 2135294, 2135295, 2135296, 2161666, 2161667    
Bug Blocks: 2130767    

Description TEJ RATHI 2022-10-11 07:52:03 UTC 
In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability enables network and same-site attackers to set a standard insecure cookie in the victim's browser which is treated as a `__Host-` or `__Secure-` cookie by PHP applications.

https://bugs.php.net/bug.php?id=81727
Comment 1 TEJ RATHI 2022-10-11 07:55:31 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 2133691]
Comment 3 TEJ RATHI 2022-10-17 08:52:17 UTC 
Upstream Commit:
https://github.com/php/php-src/commit/0611be4e82887cee0de6c4cbae320d34eec946ca
Comment 4 errata-xmlrpc 2023-02-21 09:31:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0848 https://access.redhat.com/errata/RHSA-2023:0848
Comment 5 errata-xmlrpc 2023-02-28 08:20:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0965 https://access.redhat.com/errata/RHSA-2023:0965
Comment 6 mhoward 2023-04-29 02:46:20 UTC 
Will this be fixed in the PHP 7.4 Full Life Application Stream for RHEL8?
Comment 7 errata-xmlrpc 2023-05-09 07:45:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2417 https://access.redhat.com/errata/RHSA-2023:2417
Comment 8 errata-xmlrpc 2023-05-16 08:26:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2903 https://access.redhat.com/errata/RHSA-2023:2903
Comment 9 Product Security DevOps Team 2023-05-17 01:45:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31629