A vulnerability was found in curl, where libcurl can be tricked into using already freed memory when a new TLS session is negotiated or a client certificate is requested on an existing connection. For example, this can happen when a TLS server requests a client certificate on a connection that was established without one. A malicious server can use this in rare unfortunate circumstances to potentially reach remote code execution in the client.
Upstream advisory notes that this issue affects curl version using OpenSSL (or its forks BoringSSL or libressl) as TLS backend. It also requires the use of curl's "multi" interface. Upstream also notes that this issue was only introduce recently, in version 7.75.0 via this commit: https://github.com/curl/curl/commit/a304051620b92 This issue only affects versions 7.75.0 to 7.76.1, which are not included in any current version of Red Hat Enterprise Linux or Red Hat Software Collections.
Fedora 34 is currently the only Fedora version shipped affected upstream curl version. Fedora 33 and earlier use versions prior to the first affected 7.75.0.
RHCS 2 ships curl-7.29.0-32, which is not affected.
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1964815]
Public now via upstream advisory: https://curl.se/docs/CVE-2021-22901.html Upstream commit: https://github.com/curl/curl/commit/7f4a9a9b2a49547eae24d2e19bc5c346e9026479
HackerOne report: https://hackerone.com/reports/1180380
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22901