Bug 2141353 (CVE-2022-31684)

Summary: CVE-2022-31684 reactor-netty-http: Log request headers in some cases of invalid HTTP requests
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, anstephe, avibelli, balejosg, bgeorges, chazlett, clement.escoffier, cmoulliard, dandread, dkreling, fmongiar, gmalinko, gsmet, hamadhan, ikanello, janstey, jnethert, jpavlik, jpoth, jwon, lthon, pantinor, pdelbell, peholase, pgallagh, pjindal, probinso, rruss, rsvoboda, sbiarozk, sdouglas, tcunning, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: reactor-netty-http 1.0.24 Doc Type: ---
Doc Text:
A flaw was found in the Reactor Netty HTTP Server, which may log request headers in some cases of invalid HTTP requests. This could allow an attacker to access privileged information when WARN level logging is enabled.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-10 21:33:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2136785    

Description Patrick Del Bello 2022-11-09 14:47:10 UTC 
Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log request headers in some cases of invalid HTTP requests. The logged headers may reveal valid access tokens to those with access to server logs. This may affect only invalid HTTP requests where logging at WARN level is enabled.

https://tanzu.vmware.com/security/cve-2022-31684
Comment 5 errata-xmlrpc 2022-12-08 13:25:51 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3

Via RHSA-2022:8902 https://access.redhat.com/errata/RHSA-2022:8902
Comment 6 Product Security DevOps Team 2022-12-10 21:33:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31684
Comment 8 errata-xmlrpc 2023-08-16 10:56:05 UTC 
This issue has been addressed in the following products:

  Red Hat support for Spring Boot 2.7.13

Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612