Bug 1964904 (CVE-2021-22897) - CVE-2021-22897 curl: Cipher settings shared for all connections when using schannel TLS backed
Summary: CVE-2021-22897 curl: Cipher settings shared for all connections when using sc...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-22897
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1964912
TreeView+ depends on / blocked
 
Reported: 2021-05-26 10:04 UTC by msiddiqu
Modified: 2021-06-10 21:03 UTC (History)
28 users (show)

Fixed In Version: curl 7.77.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in curl where libcurl lets applications specify which specific TLS ciphers to use in transfers, using the option called CURLOPT_SSL_CIPHER_LIST. The cipher selection is used for the TLS negotiation when a transfer is done involving any of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS, IMAPS, POP3S, SMTPS, etc. Due to a mistake in the code, the selected cipher set was stored in a single "static" variable in the library, which contains a side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-06-09 15:05:50 UTC
Embargoed:


Attachments (Terms of Use)

Description msiddiqu 2021-05-26 10:04:24 UTC
libcurl lets applictions specify which specific TLS ciphers to use in transfers, using the option called CURLOPT_SSL_CIPHER_LIST. The cipher selection is used for the TLS negotation when a transfer is done involving any of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS, IMAPS, POP3S, SMTPS etc. Due to a mistake in the code, the selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.

Comment 2 Tomas Hoger 2021-05-26 11:05:20 UTC
This issue does not affect the curl packages as shipped in Red Hat products, as it only affects curl versions build to use schannel library as its TLS backend.  The schannel is the native TLS library in Microsoft Windows.

Comment 3 Product Security DevOps Team 2021-06-09 15:05:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22897

Comment 4 Tomas Hoger 2021-06-10 21:03:42 UTC
HackerOne report:

https://hackerone.com/reports/1172857


Note You need to log in before you can comment on or make changes to this bug.