Fedora Account System
Red Hat Associate
Red Hat Customer
In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with two content-length headers, it ignored the first header. When the second content-length value was set to zero, the request body was interpreted as a pipelined request. Reference: https://know.bishopfox.com/advisories/twisted-version-19.10.0
Created python-twisted tracking bugs for this issue: Affects: epel-8 [bug 1813442] Affects: fedora-all [bug 1813441] Affects: openstack-rdo [bug 1813440]
External References: https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst
Upstream commit: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281
Removed rhel-6/python-twisted-core and rhel-7/python-twisted-core entries from the affect list because those packages do not contain the vulnerable code. The vulnerability is in the web part of the twisted framework.
Function headerReceived() in http.py does not check whether a previous Content-Length header was already parsed, so when an attacker specifies two times the Content-Length, only the last one would be considered. However this is not the right behaviour according to RFC7230, so it can result in an HTTP request smuggling attack in case a proxy/firewall or another not-vulnerable component is placed before/after twisted.
Impact of the flaw set to Important as nowadays it is considered common practice to have a proxy/load-balancer before a web service, so HTTP requests smuggling attacks are more relevant. That said, the kind of impact these flaws can do can vary a lot based on the application, the infrastructure and the configuration.
Twisted can be used both as a back-end and as a front-end (e.g. proxy) and this flaw affects both settings.
Mitigation: When python-twisted-web is used as the back-end of your infrastructure, you can partially mitigate the problem by ensuring that each request on the front-end component (e.g. proxy) is sent over a separate network connection to the python-twisted-web server. This will prevent interference between different users, but it will not prevent all possible attacks that can be performed, which would vary based on the infrastructure and application in use.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1561 https://access.redhat.com/errata/RHSA-2020:1561
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10108
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:1962 https://access.redhat.com/errata/RHSA-2020:1962
Statement: OpenShift Container Platform 4.3 and later includes `python-twisted` as a dependency of `python-prometheus_client` in Ironic container images, however the affected code is not used. Red Hat OpenStack Platform packages the flawed code, however python-twisted's web.HTTP functionality is not used in the RHOSP environment. For this reason, the RHOSP impact has been lowered to moderate and no update will be provided at this time for the RHOSP python-twisted package. Red Hat Satellite uses affected versions of `python-twisted` and `python-twisted-web` modules in Pulp, however, it is not vulnerable since `http` modal of web implementation is not expose in product. Red Hat Satellite may update `python-twisted` and `python-twisted-web` in future. This issue affects the version of python-twisted(embedded in calamari-server) shipped with Red Hat Ceph Storage 2. However, calamari is no longer supported, hence the embedded python-twisted package will not be fixed.