Bug 1928904 (CVE-2021-23336) - CVE-2021-23336 python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in query parameters
Summary: CVE-2021-23336 python: Web cache poisoning via urllib.parse.parse_qsl and url...
Keywords:
Status: NEW
Alias: CVE-2021-23336
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1928913 1928916 1931540 1931552 1931553 1931554 1931555 1931557 1931559 1931562 1931563 1932703 1933175 1933758 1933762 1933763 1933764 1933765 1934031 1935336 1936865 1936992 1928906 1928907 1928908 1928909 1928910 1928911 1928912 1928914 1928915 1928917 1928918 1928919 1928920 1928921 1928923 1931539 1931541 1931542 1931556 1931560 1931561 1932706 1932707 1932708 1933759
Blocks: 1928925
TreeView+ depends on / blocked
 
Reported: 2021-02-15 19:42 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-05-07 08:40 UTC (History)
66 users (show)

Fixed In Version: python 3.6.13, python 3.7.10, python 3.8.8, python 3.9.2
Doc Type: If docs needed, set a value
Doc Text:
The package python/cpython is vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-02-15 19:42:57 UTC
The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before 3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

Reference:
https://bugs.python.org/issue42967

Comment 1 Guilherme de Almeida Suckevicz 2021-02-15 19:44:45 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 1928912]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 1928916]


Created python26 tracking bugs for this issue:

Affects: fedora-all [bug 1928906]


Created python27 tracking bugs for this issue:

Affects: fedora-all [bug 1928913]


Created python3 tracking bugs for this issue:

Affects: fedora-all [bug 1928907]


Created python3.10 tracking bugs for this issue:

Affects: fedora-all [bug 1928908]


Created python3.5 tracking bugs for this issue:

Affects: fedora-all [bug 1928917]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 1928918]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 1928919]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 1928920]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 1928921]


Created python34 tracking bugs for this issue:

Affects: epel-all [bug 1928923]
Affects: fedora-all [bug 1928909]


Created python35 tracking bugs for this issue:

Affects: fedora-all [bug 1928910]


Created python36 tracking bugs for this issue:

Affects: fedora-all [bug 1928911]


Created python37 tracking bugs for this issue:

Affects: fedora-all [bug 1928914]


Created python39 tracking bugs for this issue:

Affects: fedora-all [bug 1928915]

Comment 2 Fedora Update System 2021-02-16 23:10:59 UTC
FEDORA-2021-e062e195e1 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 3 Fedora Update System 2021-02-16 23:14:12 UTC
FEDORA-2021-7fa9dc84d4 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Riccardo Schirone 2021-02-22 15:00:23 UTC
This issue only becomes a real security flaw when there is already another flaw in a web application, that for example allows to have XSS or similar. Otherwise, even if the cache might return different results, users would not be impacted by this from a security point of view. However, it is better to have the proxy (implementing the cache) and the server in sync with regards to parsing HTTP responses.

Comment 6 Riccardo Schirone 2021-02-22 16:16:19 UTC
External References:

https://snyk.io/vuln/SNYK-UPSTREAM-PYTHONCPYTHON-1074933

Comment 8 Riccardo Schirone 2021-02-22 16:28:23 UTC
Created python-django tracking bugs for this issue:

Affects: epel-all [bug 1931539]
Affects: fedora-all [bug 1931542]


Created python-django16 tracking bugs for this issue:

Affects: epel-all [bug 1931540]


Created python-django3 tracking bugs for this issue:

Affects: epel-all [bug 1931541]

Comment 10 Yadnyawalk Tale 2021-02-24 09:25:34 UTC
Related fixes for python-django also released in:
* Django 3.2b1
* Django 3.1.7
* Django 3.0.13
* Django 2.2.19

Comment 12 Anten Skrabec 2021-02-25 00:49:38 UTC
Created python-django tracking bugs for this issue:

Affects: openstack-rdo [bug 1932703]

Comment 21 Petr Viktorin 2021-03-02 09:41:09 UTC
> The default for the proxy is to accept only "&" parameter separator in URLs, but the
> default of Python in the affected versions was to also accept ";" as a URL parameter
> separator. Therefore the default configuration of Python and the proxy can lead to
> Web Cache Poisoning and leak sensitive data.

The issue is that this is only the default for *some* proxies, not all. To fix the CVE,
the behavior needs to match in both the application and in any & all proxies used, which
might all come from different vendors.

Comment 23 Petr Viktorin 2021-03-02 15:52:07 UTC
The upstream fix breaks backwards compatibility, which we want to avoid in RHEL. Especially since there are applications that use the ';' separator -- the proper fix for those would be to configure both the proxy and the app to use ';'.
So, here is our current plan about what to do:

- Python 3.9:
  Use the upstream behavior (split only on '&' by default, pass separator=';' to split on ';', no option to split on both).
  This should be a 0-day update. The python39 module isn't released yet, so there's no compatiblity break.

- Python 3.8: 
  - backport the `separator` argument, so users can choose to split either on '&' or on ';' eplicitly
  - default changes to upstream (only split on '&')
  - by setting an environment variable, you can restore the old behavior (split on both '&' or ';' by default) or choose to split on ';' by default.

- Python 3.6 and 2.7:
  - backport the `separator` argument, so users can choose to split either on '&' or on ';' eplicitly
  - by setting an environment variable, you can choose the default separator ('&', ';', or both)
  - if the variable is not set, the default stays as in older versions (split on both '&' and ';')
  - if the variable is not set AND `separator` is not given AND the input includes ';', trigger a warning about the unsafe behavior. Ideally, link to a KB article in the warning.

The environment variable would be:
  PYTHON_URLLIB_QS_SEPARATOR=unsafe
  PYTHON_URLLIB_QS_SEPARATOR=';'
  PYTHON_URLLIB_QS_SEPARATOR='&'

Comment 32 Petr Viktorin 2021-03-05 14:34:29 UTC
> An alternative to "unsafe" would be to accept "&;" and ";&".  A concern with "unsafe" is that it's only unsafe in certain specific configurations.

Sure, but if future versions of Python fix the CVE by not accepting both separators at all. I'd rather push people toward selecting just one.


> Should the warning be emitted only when you try to parse a query string with a semicolon?

There's a balance between that and spamming warnings all the time. I don't know which would be better.

Comment 33 Petr Viktorin 2021-03-05 14:52:10 UTC
Tomáš raised one more consideration: should the default be configurable with a config file, rather than just an envorinment variable.
That way, we could make CVE scanners satisfied that the issue is mitigated across a system.

Would that be useful?

Comment 36 Anten Skrabec 2021-03-09 18:53:04 UTC
Statement:

Red Hat Ceph Storage (RHCS) 3 ships an older version of python-django without the directly affected function, but which is still vulnerable to a similar attack involving the semi colon separator. Hence, impact has been rated as low.
Although Red Hat OpenStack Platform 13 & 16.1 both ship the affected code, since the proxy is controlled and configured by OpenStack, the impact has been lowered to low. As a fix would require a substantial effort or commitment of time, no fix will be provided at this time.


Note You need to log in before you can comment on or make changes to this bug.