Bug 2082387 (CVE-2022-29167) - CVE-2022-29167 hawk: REDoS in hawk.utils.parseHost() when parsing Host header
Summary: CVE-2022-29167 hawk: REDoS in hawk.utils.parseHost() when parsing Host header
Keywords:
Status: NEW
Alias: CVE-2022-29167
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2082456 2082457 2082458 2082459 2082460 2082461 2082462 2082463 2082464 2082465 2082466 2108426 2108427 2108428 2108429 2108430 2108431 2108432 2108433 2108434 2108435 2108436 2108437 2108438 2109683
Blocks: 2082386
TreeView+ depends on / blocked
 
Reported: 2022-05-06 01:33 UTC by Todd Cullum
Modified: 2024-02-16 15:23 UTC (History)
41 users (show)

Fixed In Version: hawk 9.0.1
Doc Type: If docs needed, set a value
Doc Text:
A regular expression denial of service (ReDoS) was found in Hawk in its header parsing functionality. The issue arises from inadequate input validation in the Hawk.utils.parseHost() function when processing untrusted input with regular expressions. This flaw allows an attacker to send a specially crafted HTTP header to initiate a ReDoS attack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Todd Cullum 2022-05-06 01:33:56 UTC 
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`.

https://github.com/mozilla/hawk/pull/286
https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
Comment 1 Avinash Hanwate 2022-05-06 08:12:50 UTC 
Created couchdb tracking bugs for this issue:

Affects: fedora-all [bug 2082457]


Created dotnet3.1 tracking bugs for this issue:

Affects: fedora-all [bug 2082458]


Created firefox tracking bugs for this issue:

Affects: fedora-all [bug 2082459]


Created icecat tracking bugs for this issue:

Affects: fedora-all [bug 2082460]


Created mozjs68 tracking bugs for this issue:

Affects: fedora-all [bug 2082461]


Created mozjs78 tracking bugs for this issue:

Affects: fedora-all [bug 2082462]


Created mozjs91 tracking bugs for this issue:

Affects: fedora-all [bug 2082466]


Created seamonkey tracking bugs for this issue:

Affects: epel-8 [bug 2082456]
Affects: fedora-all [bug 2082463]


Created thunderbird tracking bugs for this issue:

Affects: fedora-all [bug 2082464]


Created yarnpkg tracking bugs for this issue:

Affects: fedora-all [bug 2082465]
Comment 3 Dmitry Butskoy 2022-05-11 22:41:10 UTC 
Looking at the header of https://hg.mozilla.org/releases/mozilla-release/file/tip/services/common/hawkclient.js, it seems some another hawk implementation, just mentioning an ancient "https://github.com/hueniverse/hawk" link, and does not have any regexp code for the host parsing.

IOW, it seems that even the current upstream Firefox still uses its own hawk implementation, which yet not affected by the issue, since does not use any regexp for host parsing yet.
Note You need to log in before you can comment on or make changes to this bug.