Bug 2165824 (CVE-2022-25881)

Summary: CVE-2022-25881 http-cache-semantics: Regular Expression Denial of Service (ReDoS) vulnerability
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alampare, alazarot, amctagga, andrew.slice, asoldano, balejosg, bbaranow, bmaxwell, bodavis, boliveir, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dbhole, dhanak, dkreling, dosoudil, dymurray, emingora, eric.wittmann, fjuma, gjospin, gmalinko, gparvin, hhorak, ibek, ibolton, ivassile, iweiss, janstey, jmatthew, jmontleo, jorton, jpavlik, jrokos, jshaughn, jwendell, jwon, kanderso, kverlaen, lbacciot, lgao, lvaleeva, mnovotny, mosmerov, mpitt, msochure, msvehla, mwringe, nboldt, njean, nodejs-maint, nwallace, ocs-bugs, omajid, oskutka, owatkins, pahickey, pantinor, pdelbell, pdrozd, peholase, pjindal, pmackay, pskopek, rcernich, rguimara, rrajasek, rstancel, rwagner, scorneli, slucidi, smaestri, sseago, stcannon, sthorger, teagle, tom.jenkinson, twalsh, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: http-cache-semantics 4.1.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in http-cache-semantics. When the server reads the cache policy from the request using this library, a Regular Expression Denial of Service occurs, caused by malicious request header values sent to the server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 20:33:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2174279, 2174280, 2165828, 2165829, 2165830, 2165831, 2165832, 2165833, 2165834, 2165835, 2165836, 2165962, 2165963, 2166189, 2166190, 2166191, 2166192, 2174278, 2174281, 2174282, 2174283, 2174284, 2174285, 2174286, 2174287, 2175833, 2175834, 2175835, 2175836, 2178091, 2178092, 2178093, 2178094, 2178095, 2178096, 2178097, 2178098, 2178147, 2178148, 2178149, 2187840    
Bug Blocks: 2165813    

Description TEJ RATHI 2023-01-31 08:36:29 UTC 
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.

https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783
https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332
Comment 13 Patrick Del Bello 2023-03-01 02:41:17 UTC 
Created dotnet6.0 tracking bugs for this issue:

Affects: fedora-all [bug 2174281]


Created golang-entgo-ent tracking bugs for this issue:

Affects: fedora-all [bug 2174282]


Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2174283]


Created nodejs-nodemon tracking bugs for this issue:

Affects: fedora-all [bug 2174284]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2174279]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2174285]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2174280]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2174286]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2174287]


Created zuul tracking bugs for this issue:

Affects: fedora-all [bug 2174278]
Comment 14 errata-xmlrpc 2023-03-23 02:16:31 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:1428 https://access.redhat.com/errata/RHSA-2023:1428
Comment 15 errata-xmlrpc 2023-03-30 12:35:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533
Comment 16 errata-xmlrpc 2023-04-04 09:48:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1582 https://access.redhat.com/errata/RHSA-2023:1582
Comment 17 errata-xmlrpc 2023-04-04 09:48:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1583 https://access.redhat.com/errata/RHSA-2023:1583
Comment 18 errata-xmlrpc 2023-04-12 14:58:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
Comment 19 errata-xmlrpc 2023-04-12 14:59:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1743 https://access.redhat.com/errata/RHSA-2023:1743
Comment 20 errata-xmlrpc 2023-04-12 15:07:46 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:1744 https://access.redhat.com/errata/RHSA-2023:1744
Comment 23 errata-xmlrpc 2023-04-19 23:50:23 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.2 for RHEL 8

Via RHSA-2023:1887 https://access.redhat.com/errata/RHSA-2023:1887
Comment 24 errata-xmlrpc 2023-04-20 01:39:26 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:1888 https://access.redhat.com/errata/RHSA-2023:1888
Comment 25 errata-xmlrpc 2023-05-01 18:25:53 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2023:2061 https://access.redhat.com/errata/RHSA-2023:2061
Comment 26 errata-xmlrpc 2023-05-02 16:19:34 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2023:2083 https://access.redhat.com/errata/RHSA-2023:2083
Comment 27 errata-xmlrpc 2023-05-03 15:34:22 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.0 for RHEL 8

Via RHSA-2023:2098 https://access.redhat.com/errata/RHSA-2023:2098
Comment 28 errata-xmlrpc 2023-05-03 20:15:08 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2023:2104 https://access.redhat.com/errata/RHSA-2023:2104
Comment 29 errata-xmlrpc 2023-05-09 11:46:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2654 https://access.redhat.com/errata/RHSA-2023:2654
Comment 30 errata-xmlrpc 2023-05-09 11:46:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2655 https://access.redhat.com/errata/RHSA-2023:2655
Comment 31 Product Security DevOps Team 2023-05-09 20:33:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-25881
Comment 32 errata-xmlrpc 2023-06-27 11:29:02 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.4.3 GA

Via RHSA-2023:3815 https://access.redhat.com/errata/RHSA-2023:3815
Comment 34 errata-xmlrpc 2023-10-09 10:26:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533