1550671 – (CVE-2018-1067) CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)

Bug 1550671 (CVE-2018-1067) - CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)

Summary: CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1067
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1591095 1592645 1592646 1592647 1705077 1705078
Blocks:	1550674
TreeView+	depends on / blocked

Reported:	2018-03-01 18:45 UTC by Laura Pardo
Modified:	2021-02-17 00:44 UTC (History)
CC List:	108 users (show)
Fixed In Version:	undertow 7.1.2.CR1, undertow 7.1.2.GA
Clone Of:
Environment:
Last Closed:	2019-06-08 03:41:56 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:1247	None	None	None	2018-04-25 18:25:53 UTC
Red Hat Product Errata	RHSA-2018:1248	None	None	None	2018-04-25 18:23:07 UTC
Red Hat Product Errata	RHSA-2018:1249	None	None	None	2018-04-25 18:37:13 UTC
Red Hat Product Errata	RHSA-2018:1251	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 7.1.2 security update	2018-04-25 23:43:26 UTC
Red Hat Product Errata	RHSA-2018:2643	None	None	None	2018-09-04 13:45:25 UTC
Red Hat Product Errata	RHSA-2019:0877	None	None	None	2019-04-24 18:46:46 UTC
Red Hat Product Errata	RHSA-2020:2562	None	None	None	2020-06-15 16:14:15 UTC

Description Laura Pardo 2018-03-01 18:45:08 UTC

A flaw was reported in WildFly 12.0.0.CR1 web server is vulnerable to the injection of arbitrary HTTP Header due to insufficient sanitisation and validation of user UTF-8 encoded input before it is used as part of an HTTP header value.

Although there is a protection against CRLF injection by detecting the presence of a NewLine character (0x0a), it can be bypassed using characters encoded in UTF-8 as the page will try to convert them back to the original Unicode form and extract the last byte.

Comment 1 Bharti Kundal 2018-03-06 00:54:55 UTC

Acknowledgments:

Name: Ammarit Thongthua (Deloitte Thailand Pentest team), Nattakit Intarasorn (Deloitte Thailand Pentest team)

Comment 4 errata-xmlrpc 2018-04-25 18:22:36 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:1248 https://access.redhat.com/errata/RHSA-2018:1248

Comment 5 errata-xmlrpc 2018-04-25 18:25:20 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:1247 https://access.redhat.com/errata/RHSA-2018:1247

Comment 6 errata-xmlrpc 2018-04-25 18:36:37 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:1249 https://access.redhat.com/errata/RHSA-2018:1249

Comment 7 errata-xmlrpc 2018-04-25 19:45:13 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1251 https://access.redhat.com/errata/RHSA-2018:1251

Comment 11 Doran Moppert 2018-06-19 03:57:42 UTC

Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1592646]


Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1592647]


Created wildfly tracking bugs for this issue:

Affects: fedora-all [bug 1592645]

Comment 12 errata-xmlrpc 2018-09-04 13:44:55 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643

Comment 14 errata-xmlrpc 2019-04-24 18:46:43 UTC

This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:0877

Comment 19 errata-xmlrpc 2020-06-15 16:14:10 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2562 https://access.redhat.com/errata/RHSA-2020:2562

Note You need to log in before you can comment on or make changes to this bug.

aboyko
aileenc
alazarot
alee
anstephe
asoldano
atangrin
avibelli
bbaranow
bdawidow
bgeorges
bmaxwell
bmcclain
brian.stansberry
ccoleman
cdewolf
chazlett
cmoulliard
coolsvap
csutherl
darran.lofthouse
dblechte
dedgar
dimitris
dkreling
dmcphers
dosoudil
drieden
eedri
etirelli
fgavrilo
gvarsami
gzaronik
hhorak
ibek
ivan.afonichev
iweiss
java-sig-commits
jawilson
jbalunas
jclere
jcoleman
jdoyle
jgoulding
jochrist
jondruse
jorton
jpadman
jpallich
jperkins
jshepherd
jwon
kconner
krathod
krzysztof.daniel
kverlaen
kwills
ldimaggi
lef
lgao
lpetrovi
lthon
mbabacek
mgoldboi
michal.skrivanek
mizdebsk
msochure
msvehla
mszynkie
myarboro
nwallace
paradhya
pdrozd
pgallagh
pgier
pjindal
pjurak
pmackay
ppalaga
psakar
pslavice
psotirop
puntogil
rguimara
rhcs-maint
rhel8-maint
rnetuka
rrajasek
rruss
rstancel
rsvoboda
rsynek
rwagner
rzhang
sbonazzo
sdaley
security-response-team
sherold
smaestri
sthorger
tcunning
tkirby
tom.jenkinson
trogers
twalsh
vtunka
weli
ykaul