Bug 1700824 (CVE-2019-11236) - CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '\r\n' sequence leading to possible attack on internal service
Summary: CVE-2019-11236 python-urllib3: CRLF injection due to not encoding the '\r\n' ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11236
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1697191 1697193 1707088 1724439 1775364 1778101 1778103 1778107 1778113 1778114 1778115 1805087 1805089 1697188 1697189 1697190 1697192 1700825 1703360 1703361 1703363 1703458 1706762 1775363 1775365 1778100 1778108 1778109 1778116 1778117 1805086 1805088
Blocks: 1700840
TreeView+ depends on / blocked
 
Reported: 2019-04-17 12:48 UTC by Marian Rehak
Modified: 2020-03-18 04:36 UTC (History)
73 users (show)

Fixed In Version: python-urllib3 1.24.3, python-urllib3 1.25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 19:20:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2272 None None None 2019-08-06 12:34:22 UTC
Red Hat Product Errata RHSA-2019:3335 None None None 2019-11-05 20:38:13 UTC
Red Hat Product Errata RHSA-2019:3590 None None None 2019-11-05 21:16:13 UTC
Red Hat Product Errata RHSA-2020:0850 None None None 2020-03-17 16:18:30 UTC
Red Hat Product Errata RHSA-2020:0851 None None None 2020-03-17 16:18:53 UTC

Description Marian Rehak 2019-04-17 12:48:04 UTC
The current implementation of python-urllib3 does not encode the ‘\r\n’ sequence in the query string, which allowed the attacker to manipulate a HTTP header with the ‘\r\n’ sequence in it, so the attacker could insert arbitrary content to the new line of the HTTP header.

External References:
https://bugs.python.org/issue36276

Comment 1 Marian Rehak 2019-04-17 12:48:17 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1700825]

Comment 8 Hardik Vyas 2019-04-26 14:02:44 UTC
This issue is reproducible on Red Hat Gluster Storage 3, successfully injected the HTTP header. If an attacker manages to place a CRLF then he could exploit this vulnerability.

Comment 13 Nick Tait 2019-05-06 19:12:41 UTC
All supported versions of Red Hat OpenStack Platform are affected by this flaw.

Comment 14 Nick Tait 2019-05-06 19:12:54 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: openstack-rdo [bug 1707088]

Comment 15 Doran Moppert 2019-06-27 06:19:08 UTC
Statement:

This issue affects the version of python-urllib3 shipped with Red Hat Gluster Storage 3, as it is vulnerable to CRLF injection.

Red Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected critical and important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information.

Comment 18 errata-xmlrpc 2019-08-06 12:34:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2272 https://access.redhat.com/errata/RHSA-2019:2272

Comment 19 Product Security DevOps Team 2019-08-06 19:20:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11236

Comment 20 errata-xmlrpc 2019-11-05 20:38:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3335

Comment 21 errata-xmlrpc 2019-11-05 21:16:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3590 https://access.redhat.com/errata/RHSA-2019:3590

Comment 22 Riccardo Schirone 2019-11-21 15:42:57 UTC
Upstream patch for 1.24 versions:
https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162

Comment 23 Tomas Hoger 2019-11-21 19:31:42 UTC
There are actually 2 related patches for 1.24:

https://github.com/urllib3/urllib3/commit/9b76785331243689a9d52cef3db05ef7462cb02d
https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162

The second one is the one linked from comment 22 above, and it needs to be applied on top of the first one.  Both patches mention CVE-2019-9740 in the commit message, which is the CVE for similar problem in urllib/urllib2 that is part of Python standard library.

Comment 24 Tomas Hoger 2019-11-21 19:38:11 UTC
Created python-pip tracking bugs for this issue:

Affects: epel-6 [bug 1775364]
Affects: fedora-all [bug 1775363]


Created python-pip-epel tracking bugs for this issue:

Affects: epel-7 [bug 1775365]

Comment 25 Tomas Hoger 2019-11-29 10:24:18 UTC
Created python-virtualenv tracking bugs for this issue:

Affects: epel-6 [bug 1778101]
Affects: fedora-30 [bug 1778100]


Created python3-virtualenv tracking bugs for this issue:

Affects: epel-7 [bug 1778103]

Comment 28 errata-xmlrpc 2020-03-17 16:18:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0850 https://access.redhat.com/errata/RHSA-2020:0850

Comment 29 errata-xmlrpc 2020-03-17 16:18:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0851 https://access.redhat.com/errata/RHSA-2020:0851


Note You need to log in before you can comment on or make changes to this bug.