Bug 2238034 (CVE-2023-4853)

Summary: CVE-2023-4853 quarkus: HTTP security policy bypass
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adupliak, aileenc, alampare, alazarot, anstephe, avibelli, bgeorges, caswilli, chazlett, clement.escoffier, cmiranda, dandread, dhanak, dkreling, dsimansk, emingora, eric.wittmann, fjansen, fmongiar, ggastald, gjospin, gsmet, ibek, janstey, jmartisk, jnethert, jrokos, jsamir, jwon, kaycoth, kverlaen, lbacciot, lball, lthon, matzew, max.andersen, mnovotny, pantinor, pcongius, peholase, pgallagh, pjindal, probinso, rguimara, rhuss, rruss, rsvoboda, saroy, sbiarozk, security-response-team, sthirugn, tqvarnst, vkrizan, vsroka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: quarkus 2.16.11.Final, quarkus 3.2.6.Final, quarkus 3.3.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2237893    

Description Chess Hazlett 2023-09-08 16:29:40 UTC 
Quarkus using HTTP security policies was found to not sanitize certain character permutations correctly when accepting requests, resulting in problematic request resolution. An attacker could use this flaw to bypass the security policy altogether, resulting in unauthorized information or function access, and possibly even denial of service.
Comment 8 errata-xmlrpc 2023-09-14 14:33:00 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus

Via RHSA-2023:5170 https://access.redhat.com/errata/RHSA-2023:5170
Comment 13 errata-xmlrpc 2023-09-20 07:40:53 UTC 
This issue has been addressed in the following products:

  Red Hat Camel Extensions for Quarkus 2.13.3-1

Via RHSA-2023:5310 https://access.redhat.com/errata/RHSA-2023:5310
Comment 15 errata-xmlrpc 2023-09-21 19:07:21 UTC 
This issue has been addressed in the following products:

  RHINT Camel-K-1.10.2

Via RHSA-2023:5337 https://access.redhat.com/errata/RHSA-2023:5337
Comment 17 errata-xmlrpc 2023-10-04 16:04:03 UTC 
This issue has been addressed in the following products:

  Red Hat build of OptaPlanner Text-Only advisories

Via RHSA-2023:5446 https://access.redhat.com/errata/RHSA-2023:5446
Comment 18 errata-xmlrpc 2023-10-05 14:36:44 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:5479 https://access.redhat.com/errata/RHSA-2023:5479
Comment 19 errata-xmlrpc 2023-10-05 15:25:34 UTC 
This issue has been addressed in the following products:

  RHOSS-1.30-RHEL-8

Via RHSA-2023:5480 https://access.redhat.com/errata/RHSA-2023:5480
Comment 21 errata-xmlrpc 2023-10-25 12:35:21 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:6107 https://access.redhat.com/errata/RHSA-2023:6107
Comment 22 errata-xmlrpc 2023-10-25 13:03:41 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.4 async

Via RHSA-2023:6112 https://access.redhat.com/errata/RHSA-2023:6112
Comment 24 errata-xmlrpc 2023-12-05 14:36:38 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.5.4 GA

Via RHSA-2023:7653 https://access.redhat.com/errata/RHSA-2023:7653