1800364 – (CVE-2019-15605) CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encoding header

Bug 1800364 (CVE-2019-15605) - CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encoding header

Summary: CVE-2019-15605 nodejs: HTTP request smuggling using malformed Transfer-Encodi...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-15605
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1800371 1800372 1800373 1800374 1800375 1800376 1800377 1800378 1800379 1800380 1800381 1802486 1802487 1802488 1802489 1802490 1802501 1803853 1803854 1821340
Blocks:	1800362
TreeView+	depends on / blocked

Reported:	2020-02-07 00:12 UTC by Jason Shepherd
Modified:	2021-02-16 20:39 UTC (History)
CC List:	18 users (show)
Fixed In Version:	nodejs 10.19.0, nodejs 12.15.0, nodejs 13.8.0, http-parser 2.9.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.
Clone Of:
Environment:
Last Closed:	2020-02-24 15:49:45 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:0611	None	None	None	2020-02-26 11:52:40 UTC
Red Hat Product Errata	RHBA-2020:0612	None	None	None	2020-02-26 12:02:11 UTC
Red Hat Product Errata	RHBA-2020:0618	None	None	None	2020-02-26 15:00:43 UTC
Red Hat Product Errata	RHBA-2020:0626	None	None	None	2020-02-27 08:31:20 UTC
Red Hat Product Errata	RHBA-2020:0636	None	None	None	2020-02-27 15:53:25 UTC
Red Hat Product Errata	RHBA-2020:0646	None	None	None	2020-03-02 08:04:15 UTC
Red Hat Product Errata	RHBA-2020:0647	None	None	None	2020-03-02 08:01:53 UTC
Red Hat Product Errata	RHBA-2020:0648	None	None	None	2020-03-02 08:08:17 UTC
Red Hat Product Errata	RHBA-2020:0650	None	None	None	2020-03-02 10:20:42 UTC
Red Hat Product Errata	RHBA-2020:0736	None	None	None	2020-03-09 06:33:27 UTC
Red Hat Product Errata	RHSA-2020:0573	None	None	None	2020-02-24 12:53:48 UTC
Red Hat Product Errata	RHSA-2020:0579	None	None	None	2020-02-25 08:36:33 UTC
Red Hat Product Errata	RHSA-2020:0597	None	None	None	2020-02-25 13:04:40 UTC
Red Hat Product Errata	RHSA-2020:0598	None	None	None	2020-02-25 13:39:26 UTC
Red Hat Product Errata	RHSA-2020:0602	None	None	None	2020-02-25 15:53:20 UTC
Red Hat Product Errata	RHSA-2020:0703	None	None	None	2020-03-04 12:44:02 UTC
Red Hat Product Errata	RHSA-2020:0707	None	None	None	2020-03-04 17:17:06 UTC
Red Hat Product Errata	RHSA-2020:0708	None	None	None	2020-03-04 17:27:38 UTC
Red Hat Product Errata	RHSA-2020:1510	None	None	None	2020-04-21 11:14:30 UTC

Description Jason Shepherd 2020-02-07 00:12:24 UTC

Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system.

Downloads & release details

* Node.js v10.19.0 (LTS) - https://nodejs.org/en/blog/release/v10.19.0/
* Node.js v12.15.0 (LTS) - https://nodejs.org/en/blog/release/v12.15.0/
* Node.js v13.8.0 (LTS) - https://nodejs.org/en/blog/release/v13.8.0/

Comment 2 Doran Moppert 2020-02-07 00:58:41 UTC

Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1800376]

Comment 5 Jason Shepherd 2020-02-12 00:01:52 UTC

Also fixed in http-parser-js 2.9.3 see: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b

Comment 6 Jason Shepherd 2020-02-12 23:45:01 UTC

Actually the commit in the previous comment refers to the 'http-parser' c library that ships in Fedora and RHEL. Not the http-parser-js javascript library as previously mentioned.

Comment 7 Cedric Buissart 2020-02-13 10:21:12 UTC

Created http-parser tracking bugs for this issue:

Affects: fedora-all [bug 1802501]

Comment 8 Tomas Hoger 2020-02-13 20:37:44 UTC

External References:

https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/

Comment 11 Cedric Buissart 2020-02-14 12:14:30 UTC

HackerOne report (currently not public):
https://hackerone.com/reports/735748

Upstream commits :
* http-parser: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b
* llhttp : https://github.com/nodejs/llhttp/commit/e19af786a172a8ba71a3d13fccc0fd4dfe4b1b94

Comment 14 errata-xmlrpc 2020-02-24 12:53:42 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0573

Comment 15 Product Security DevOps Team 2020-02-24 15:49:45 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-15605

Comment 16 errata-xmlrpc 2020-02-25 08:36:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0579

Comment 17 errata-xmlrpc 2020-02-25 13:04:38 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0597

Comment 18 errata-xmlrpc 2020-02-25 13:39:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0598 https://access.redhat.com/errata/RHSA-2020:0598

Comment 19 errata-xmlrpc 2020-02-25 15:53:18 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:0602 https://access.redhat.com/errata/RHSA-2020:0602

Comment 20 errata-xmlrpc 2020-03-04 12:44:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0703 https://access.redhat.com/errata/RHSA-2020:0703

Comment 21 errata-xmlrpc 2020-03-04 17:17:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0707 https://access.redhat.com/errata/RHSA-2020:0707

Comment 22 errata-xmlrpc 2020-03-04 17:27:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0708 https://access.redhat.com/errata/RHSA-2020:0708

Comment 25 errata-xmlrpc 2020-04-21 11:14:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:1510 https://access.redhat.com/errata/RHSA-2020:1510

Note You need to log in before you can comment on or make changes to this bug.