Bug 2170242 (CVE-2023-25577)

Summary: CVE-2023-25577 python-werkzeug: high resource usage when parsing multipart form data with many fields
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, aoconnor, apevec, bcl, bdettelb, bniver, dfreiber, eglynn, flucifre, gmeno, gtanzill, jburrell, jjoyce, lhh, manisandro, mbenjamin, mburns, mgarciac, mhackett, mminar, njohnston, nobody, rbiba, rhos-maint, rogbas, scohen, sostapov, spower, sskracic, trathi, vereddy, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-werkzeug 2.2.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in python-werkzeug. Werkzeug is multipart form data parser, that will parse an unlimited number of parts, including file parts. These parts can be a small amount of bytes, but each requires CPU time to parse, and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage, allowing an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests, and if many concurrent requests are sent continuously, this can exhaust or kill all available workers.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-15 23:58:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2254403, 2170244, 2170246, 2170248, 2170250, 2170253, 2170255, 2170256, 2170259, 2170261, 2170262, 2170264, 2170266, 2170272, 2170273, 2170274, 2170275, 2170319, 2170320, 2170321, 2170322, 2170323, 2170324, 2170325, 2172263, 2173736, 2188442, 2351737    
Bug Blocks: 2169911    

Description Anten Skrabec 2023-02-16 00:10:01 UTC 
Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage.

This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
Comment 1 Anten Skrabec 2023-02-16 00:20:23 UTC 
Created cascadia-code-fonts tracking bugs for this issue:

Affects: fedora-36 [bug 2170248]


Created jetbrains-mono-fonts tracking bugs for this issue:

Affects: fedora-36 [bug 2170250]


Created mingw-python-werkzeug tracking bugs for this issue:

Affects: fedora-all [bug 2170261]


Created mote tracking bugs for this issue:

Affects: epel-7 [bug 2170244]


Created ndiscover-exo-2-fonts tracking bugs for this issue:

Affects: fedora-37 [bug 2170262]


Created openstack-vitrage tracking bugs for this issue:

Affects: openstack-rdo [bug 2170264]


Created oraculum tracking bugs for this issue:

Affects: fedora-36 [bug 2170253]


Created python-flask-caching tracking bugs for this issue:

Affects: fedora-36 [bug 2170255]


Created python-tilestache tracking bugs for this issue:

Affects: fedora-36 [bug 2170256]


Created python-werkzeug tracking bugs for this issue:

Affects: fedora-all [bug 2170259]
Affects: openstack-rdo [bug 2170266]


Created python3-werkzeug tracking bugs for this issue:

Affects: epel-7 [bug 2170246]
Comment 8 errata-xmlrpc 2023-02-28 15:47:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.0

Via RHSA-2023:1018 https://access.redhat.com/errata/RHSA-2023:1018
Comment 9 Sandro Mani 2023-03-07 08:42:02 UTC 
Patch: https://github.com/pallets/werkzeug/commit/517cac5a804e8c4dc4ed038bb20dacd038e7a9f1
Fixed in werkzeug-2.2.3
Comment 10 errata-xmlrpc 2023-03-15 19:56:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2
  Red Hat OpenStack Platform 13.0 Octavia - ELS

Via RHSA-2023:1281 https://access.redhat.com/errata/RHSA-2023:1281
Comment 11 Product Security DevOps Team 2023-03-15 23:58:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-25577
Comment 15 errata-xmlrpc 2023-05-17 22:53:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325
Comment 17 errata-xmlrpc 2023-11-29 12:08:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:7473 https://access.redhat.com/errata/RHSA-2023:7473
Comment 18 errata-xmlrpc 2023-11-30 14:35:02 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2023:7341 https://access.redhat.com/errata/RHSA-2023:7341