In Twisted Web through 19.10.0, there was an HTTP request splitting vulnerability. When presented with a content-length and a chunked encoding header, the content-length took precedence and the remainder of the request body was interpreted as a pipelined request. Reference: https://know.bishopfox.com/advisories/twisted-version-19.10.0
Created python-twisted tracking bugs for this issue: Affects: epel-8 [bug 1813450] Affects: fedora-all [bug 1813449] Affects: openstack-rdo [bug 1813448]
External References: https://github.com/twisted/twisted/blob/twisted-20.3.0/NEWS.rst
Upstream commit: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281
Removed rhel-6/python-twisted-core and rhel-7/python-twisted-core entries from the affect list because those packages do not contain the vulnerable code. The vulnerability is in the web part of the twisted framework.
rhel-6/python-twisted-web is not affected by this flaw because the logic in function headerReceived() is a bit different from the vulnerable version, so even if both Content-Length and Transfer-Encoding are specified, the Transfer-Encoding one will have precedence over the Content-Length.
Impact of the flaw set to Important as nowadays it is considered common practice to have a proxy/load-balancer before a web service, so HTTP requests smuggling attacks are more relevant. That said, the kind of impact these flaws can do can vary a lot based on the application, the infrastructure and the configuration.
Twisted can be used both as a back-end and as a front-end (e.g. proxy) and this flaw affects both settings.
Mitigation: When python-twisted-web is used as the back-end of your infrastructure, you can partially mitigate the problem by ensuring that each request on the front-end component (e.g. proxy) is sent over a separate network connection to the python-twisted-web server. This will prevent interference between different users, but it will not prevent all possible attacks that can be performed, which would vary based on the infrastructure and application in use.
First upstream version to introduce this issue is twisted-9.0.0. The first vulnerable commits appears to be: https://github.com/twisted/twisted/commit/54898f28f4bab89cef9ab8f0c78c748b560c4e22 .
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1561 https://access.redhat.com/errata/RHSA-2020:1561
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10109
Statement: Although Red Hat OpenStack Platform packages the flawed code, python-twisted's web.HTTP functionality is not used in the RHOSP environment. For this reason, the RHOSP impact has been lowered to moderate and no update will be provided at this time for the RHOSP python-twisted package . OpenShift Container Platform 4.3 and later includes `python-twisted` as a dependency of `python-prometheus_client` in Ironic container images, however the affected code is not used. Red Hat Satellite uses affected versions of `python-twisted` and `python-twisted-web` modules in Pulp, however, it is not vulnerable since `http` modal of web implementation is not expose in product. Red Hat Satellite may update `python-twisted` and `python-twisted-web` in future. This issue affects the version of python-twisted(embedded in calamari-server) shipped with Red Hat Ceph Storage 2. However, calamari is no longer supported, hence the embedded python-twisted package will not be fixed.