Bug 1481665 (CVE-2017-7559) - CVE-2017-7559 undertow: HTTP Request smuggling vulnerability (incomplete fix of CVE-2017-2666)
Summary: CVE-2017-7559 undertow: HTTP Request smuggling vulnerability (incomplete fix ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-7559
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1481666 1520314 1527613
TreeView+ depends on / blocked
 
Reported: 2017-08-15 12:01 UTC by Adam Mariš
Modified: 2021-02-17 01:43 UTC (History)
32 users (show)

Fixed In Version: undertow 1.3.34.Final, undertow 1.4.23.Final, undertow 2.0.1.Final
Doc Type: If docs needed, set a value
Doc Text:
It was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:20:47 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3454 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:48:09 UTC
Red Hat Product Errata RHSA-2017:3455 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:57:25 UTC
Red Hat Product Errata RHSA-2017:3456 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:31:03 UTC
Red Hat Product Errata RHSA-2017:3458 0 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2017-12-13 23:26:13 UTC
Red Hat Product Errata RHSA-2018:0002 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.0.9 security update on RHEL 6 2018-01-03 15:30:20 UTC
Red Hat Product Errata RHSA-2018:0003 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.0.9 security update 2018-01-03 15:20:33 UTC
Red Hat Product Errata RHSA-2018:0004 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.0.9 security update on RHEL 7 2018-01-03 15:31:14 UTC
Red Hat Product Errata RHSA-2018:0005 0 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2018-01-03 15:49:39 UTC
Red Hat Product Errata RHSA-2018:1322 0 None None None 2018-05-03 19:05:08 UTC

Description Adam Mariš 2017-08-15 12:01:20 UTC
It was found that original patch for CVE-2017-2666 issue in undertow was incomplete and invalid characters are still allowed in the query string and path parameters.

Comment 1 Adam Mariš 2017-08-15 12:01:36 UTC
Acknowledgments:

Name: Stuart Douglas (Red Hat)

Comment 3 errata-xmlrpc 2017-12-13 17:37:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456

Comment 4 errata-xmlrpc 2017-12-13 18:29:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454

Comment 5 errata-xmlrpc 2017-12-13 18:44:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455

Comment 6 errata-xmlrpc 2017-12-13 18:55:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458

Comment 7 Salvatore Bonaccorso 2017-12-28 08:36:24 UTC
Hi

Do you have any further information which upstream change fixes the issue? I sthere a upstream issue reported for that? 

Regards,
Salvatore

Comment 8 Fabio Olive Leite 2017-12-28 17:21:09 UTC
Setting needinfo to Bharti Kundal so that she sees it.

Comment 11 errata-xmlrpc 2018-01-03 10:21:28 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003

Comment 12 errata-xmlrpc 2018-01-03 10:32:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002

Comment 13 errata-xmlrpc 2018-01-03 10:35:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2018:0004 https://access.redhat.com/errata/RHSA-2018:0004

Comment 14 errata-xmlrpc 2018-01-03 10:51:59 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2018:0005 https://access.redhat.com/errata/RHSA-2018:0005

Comment 15 Bharti Kundal 2018-01-04 08:18:51 UTC
(In reply to Salvatore Bonaccorso from comment #7)
> Hi
> 
> Do you have any further information which upstream change fixes the issue? I
> sthere a upstream issue reported for that? 
> 
> Regards,
> Salvatore

Hi Salvatore,

The upstream JIRA is :https://issues.jboss.org/browse/UNDERTOW-1251 .You can get more information from there.

Thanks and Regards,
Bharti

Comment 16 Markus Koschany 2018-01-31 22:20:30 UTC
We tried to find more information about CVE-2017-7559 and CVE-2017-12165 but could not find any in undertow's bug tracker. For both issues you pointed us to https://issues.jboss.org/browse/UNDERTOW-1251. 

UNDERTOW-1251 is about CVE-2017-2666 though. What are the corresponding issues for CVE-2017-7559 and CVE-2017-12165?

Thanks,

Markus

Comment 17 Yogendra Jog 2018-02-01 11:56:51 UTC
Setting needinfo to Bharti Kundal so that she sees it.

Comment 20 errata-xmlrpc 2018-05-03 19:04:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2018:1322 https://access.redhat.com/errata/RHSA-2018:1322

Comment 21 Gabriel Rocha 2019-01-15 06:55:52 UTC
Chess, can you sort this out and close off that needinfo as needed? Thanks!

Comment 26 Paramvir jindal 2019-10-15 11:16:16 UTC
Since this fixed in undertow 2.0.1.Final already I am marking RHSSO 7.3.3 (latest as of today) as not affected as it ships undertow 2.0.22.Final

Comment 27 Paramvir jindal 2019-10-15 11:17:40 UTC
Marking fuse 6 as ooss as this flaw is moderate and for fuse 6, we do only important and critical flaws.


Note You need to log in before you can comment on or make changes to this bug.