Bug 1901304 (CVE-2020-27782) - CVE-2020-27782 undertow: special character in query results in server errors
Summary: CVE-2020-27782 undertow: special character in query results in server errors
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-27782
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1901234
TreeView+ depends on / blocked
 
Reported: 2020-11-24 19:48 UTC by Chess Hazlett
Modified: 2021-12-14 21:33 UTC (History)
93 users (show)

See Also:
Fixed In Version: Undertow 2.1.5.SP1, Undertow 2.0.33.SP2, Undertow 2.2.3.SP1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2021-01-25 16:47:10 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0246 0 None None None 2021-01-25 16:29:18 UTC
Red Hat Product Errata RHSA-2021:0247 0 None None None 2021-01-25 16:34:00 UTC
Red Hat Product Errata RHSA-2021:0248 0 None None None 2021-01-25 16:38:38 UTC
Red Hat Product Errata RHSA-2021:0250 0 None None None 2021-01-25 16:19:36 UTC
Red Hat Product Errata RHSA-2021:0295 0 None None None 2021-02-08 09:07:24 UTC
Red Hat Product Errata RHSA-2021:0327 0 None None None 2021-02-01 18:56:39 UTC
Red Hat Product Errata RHSA-2021:3205 0 None None None 2021-08-18 09:13:31 UTC
Red Hat Product Errata RHSA-2021:3207 0 None None None 2021-08-18 09:54:56 UTC
Red Hat Product Errata RHSA-2021:3425 0 None None None 2021-09-09 06:19:11 UTC
Red Hat Product Errata RHSA-2021:5134 0 None None None 2021-12-14 21:33:08 UTC

Description Chess Hazlett 2020-11-24 19:48:03 UTC
undertow handles certain query string characters improperly. An attacker could use this flaw to send a malicious request and trigger server errors, resulting in denial of service.

Comment 2 Jean-frederic Clere 2020-11-26 07:41:33 UTC
The description is wrong, that is not a mod_cluster bug that is a general AJP problem, it affects mod_jk and mod_proxy_ajp.
The work-around is easy: use HTTP/1.1 instead AJP to proxy to the back-end.

I confirm the problem is for example in https://github.com/apache/httpd/blob/trunk/modules/proxy/ajp_header.c#L327
The query string is copied to AJP payload without any checks.
and the same for mod_jk see https://github.com/apache/tomcat-connectors/blob/master/native/apache-2.0/mod_jk.c#L969

The checks can also be done in the AJP of tomcat/undertow to reject URL/query string that are not conforming to RFC 7230 and RFC 398.

The problem needs to be reported to the ASF httpd and tomcat security lists for further investigations.

Comment 3 Jean-frederic Clere 2020-11-26 07:53:15 UTC
Also note that only undertow seems to create a deny of service because it doesn't return anything to httpd and close the session abruptly and that marks the node as broken.

Tomcat AJP just wrongly process the illegal request so it is up to the webapp to process the query string and reject it.

Comment 4 Jean-frederic Clere 2020-11-26 08:08:48 UTC
Also a note from https://issues.redhat.com/browse/JBCS-1019: "Note that the AJP issue was discovered by Richard Opalka <ropalka@redhat.com>"

Comment 26 Kunjan Rathod 2021-01-25 06:17:05 UTC
Mitigation:

The issue can be mitigated by using HTTP/1.1 instead of AJP to proxy to the back-end.

Comment 28 errata-xmlrpc 2021-01-25 16:19:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2021:0250 https://access.redhat.com/errata/RHSA-2021:0250

Comment 29 errata-xmlrpc 2021-01-25 16:29:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:0246 https://access.redhat.com/errata/RHSA-2021:0246

Comment 30 errata-xmlrpc 2021-01-25 16:33:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:0247 https://access.redhat.com/errata/RHSA-2021:0247

Comment 31 errata-xmlrpc 2021-01-25 16:38:34 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:0248 https://access.redhat.com/errata/RHSA-2021:0248

Comment 32 Product Security DevOps Team 2021-01-25 16:47:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27782

Comment 33 errata-xmlrpc 2021-02-01 18:57:20 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.5

Via RHSA-2021:0327 https://access.redhat.com/errata/RHSA-2021:0327

Comment 34 errata-xmlrpc 2021-02-08 09:07:06 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2021:0295 https://access.redhat.com/errata/RHSA-2021:0295

Comment 37 errata-xmlrpc 2021-08-18 09:13:26 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205

Comment 38 errata-xmlrpc 2021-08-18 09:54:53 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:3207 https://access.redhat.com/errata/RHSA-2021:3207

Comment 39 errata-xmlrpc 2021-09-09 06:19:06 UTC
This issue has been addressed in the following products:

  Red Hat support for Spring Boot 2.3.10

Via RHSA-2021:3425 https://access.redhat.com/errata/RHSA-2021:3425

Comment 41 errata-xmlrpc 2021-12-14 21:33:04 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134


Note You need to log in before you can comment on or make changes to this bug.