Bug 2169924 (CVE-2021-37533)

Summary: CVE-2021-37533 apache-commons-net: FTP client trusts the host from PASV response by default
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, aileenc, alampare, alazarot, asoldano, ataylor, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dfreiber, dhanak, dkreling, dosoudil, eglynn, ellin, emingora, fjuma, fmongiar, gjospin, gmalinko, hbraun, hhorak, ibek, ivassile, iweiss, janstey, jburrell, jcantril, jjoyce, jnethert, jorton, jpavlik, jpoth, jrokos, jross, kverlaen, lbacciot, lgao, lhh, lpeer, mburns, mgarciac, mizdebsk, mkolesni, mnovotny, mokumar, mosmerov, msochure, msvehla, nwallace, pdelbell, pdrozd, peholase, periklis, pjindal, pmackay, pskopek, rguimara, rjohnson, rogbas, rrajasek, rstancel, scohen, scorneli, shbose, smaestri, spower, sthorger, tcunning, tmielke, tom.jenkinson, vkumar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: apache-commons-net 3.9.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Commons Net's FTP, where the client trusts the host from PASV response by default. A malicious server could redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This issue could lead to leakage of information about services running on the private network of the client.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-03 19:44:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2171850, 2171851, 2171852, 2171853, 2171854, 2171855, 2171856, 2171857    
Bug Blocks: 2150644    

Description TEJ RATHI 2023-02-15 06:17:05 UTC 
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client.
The default in version 3.9.0 is now false to ignore such hosts, as cURL does. 

https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7
https://issues.apache.org/jira/browse/NET-711
https://github.com/apache/commons-net/commit/b0bff89f70cfea70009e22f87639816cc3993974
Comment 11 errata-xmlrpc 2023-05-03 14:06:50 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Comment 12 Product Security DevOps Team 2023-05-03 19:44:06 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-37533
Comment 15 errata-xmlrpc 2023-06-19 16:32:37 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.13.3

Via RHSA-2023:3667 https://access.redhat.com/errata/RHSA-2023:3667