Bug 2275280 (CVE-2024-1135)

Summary: CVE-2024-1135 python-gunicorn: HTTP Request Smuggling due to improper validation of Transfer-Encoding headers
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aarif, adudiak, aprice, bbuckingham, bcourt, bdettelb, caswilli, davidn, dfreiber, drow, eglynn, ehelms, epacific, gtanzill, hkataria, jburrell, jcammara, jhardy, jjoyce, jmitchel, jneedle, jobarker, jsamir, jschluet, jsherril, jtanner, kaycoth, kholdawa, kshier, lhh, lsvaty, lzap, mabashia, mburns, mgarciac, mhulan, mminar, mpierce, njohnston, nmoumoul, omaciel, orabin, pcreech, pgrist, psegedy, rbiba, rchan, sidakwo, simaishi, smcdonal, sskracic, stcannon, sthirugn, teagle, vkrizan, vkumar, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gunicorn 22.0.0 Doc Type: ---
Doc Text:
An HTTP Request Smuggling vulnerability was found in Gunicorn. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks, including cache poisoning, session manipulation, and data exposure.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2275349, 2275351, 2275348, 2275350, 2275352, 2275353, 2275354, 2275355, 2275356, 2275357, 2275358, 2277405, 2277406, 2277407, 2277408, 2279609    
Bug Blocks: 2275366    

Description Mauro Matteo Cascella 2024-04-16 12:32:26 UTC 
Gunicorn fails to properly validate Transfer-Encoding headers, leading to HTTP Request Smuggling (HRS) vulnerabilities. By crafting requests with conflicting Transfer-Encoding headers, attackers can bypass security restrictions and access restricted endpoints. This issue is due to Gunicorn's handling of Transfer-Encoding headers, where it incorrectly processes requests with multiple, conflicting Transfer-Encoding headers, treating them as chunked regardless of the final encoding specified. This vulnerability allows for a range of attacks including cache poisoning, session manipulation, and data exposure.

Huntr security advisory:
https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1
Comment 1 Mauro Matteo Cascella 2024-04-16 12:37:23 UTC 
Upstream fix:
https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d
Comment 2 Mauro Matteo Cascella 2024-04-16 20:37:55 UTC 
Created graphite-web tracking bugs for this issue:

Affects: epel-all [bug 2275349]


Created python-gunicorn tracking bugs for this issue:

Affects: epel-all [bug 2275350]
Affects: fedora-all [bug 2275348]


Created python3-gunicorn tracking bugs for this issue:

Affects: epel-all [bug 2275351]
Comment 8 errata-xmlrpc 2024-05-22 20:43:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2727 https://access.redhat.com/errata/RHSA-2024:2727
Comment 9 errata-xmlrpc 2024-05-23 18:11:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2875 https://access.redhat.com/errata/RHSA-2024:2875
Comment 10 errata-xmlrpc 2024-05-29 15:42:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:3327 https://access.redhat.com/errata/RHSA-2024:3327
Comment 11 errata-xmlrpc 2024-05-30 00:39:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:3331 https://access.redhat.com/errata/RHSA-2024:3331
Comment 12 errata-xmlrpc 2024-06-10 18:37:43 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
Comment 13 errata-xmlrpc 2024-06-12 04:03:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:3713 https://access.redhat.com/errata/RHSA-2024:3713
Comment 14 errata-xmlrpc 2024-06-24 01:04:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:4054 https://access.redhat.com/errata/RHSA-2024:4054
Comment 16 errata-xmlrpc 2024-10-10 20:28:51 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.15 for RHEL 8

Via RHSA-2024:7987 https://access.redhat.com/errata/RHSA-2024:7987
Comment 17 errata-xmlrpc 2025-02-12 00:09:07 UTC 
This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2025:1335 https://access.redhat.com/errata/RHSA-2025:1335