Bug 1550671 (CVE-2018-1067) - CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of CVE-2016-4993)
Summary: CVE-2018-1067 undertow: HTTP header injection using CRLF with UTF-8 Encoding ...
Status: CLOSED ERRATA
Alias: CVE-2018-1067
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180425:1751,...
Keywords: Security
Depends On: 1592645 1592647 1591095 1592646 1705077 1705078
Blocks: 1550674
TreeView+ depends on / blocked
 
Reported: 2018-03-01 18:45 UTC by Laura Pardo
Modified: 2019-06-12 12:00 UTC (History)
90 users (show)

(edit)
It was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
Clone Of:
(edit)
Last Closed: 2019-06-08 03:41:56 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1247 None None None 2018-04-25 18:25 UTC
Red Hat Product Errata RHSA-2018:1248 None None None 2018-04-25 18:23 UTC
Red Hat Product Errata RHSA-2018:1249 None None None 2018-04-25 18:37 UTC
Red Hat Product Errata RHSA-2018:1251 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.2 security update 2018-04-25 23:43:26 UTC
Red Hat Product Errata RHSA-2018:2643 None None None 2018-09-04 13:45 UTC
Red Hat Product Errata RHSA-2019:0877 None None None 2019-04-24 18:46 UTC

Description Laura Pardo 2018-03-01 18:45:08 UTC
A flaw was reported in WildFly 12.0.0.CR1 web server is vulnerable to the injection of arbitrary HTTP Header due to insufficient sanitisation and validation of user UTF-8 encoded input before it is used as part of an HTTP header value.

Although there is a protection against CRLF injection by detecting the presence of a NewLine character (0x0a), it can be bypassed using characters encoded in UTF-8 as the page will try to convert them back to the original Unicode form and extract the last byte.

Comment 1 Bharti Kundal 2018-03-06 00:54:55 UTC
Acknowledgments:

Name: Ammarit Thongthua (Deloitte Thailand Pentest team), Nattakit Intarasorn (Deloitte Thailand Pentest team)

Comment 4 errata-xmlrpc 2018-04-25 18:22:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:1248 https://access.redhat.com/errata/RHSA-2018:1248

Comment 5 errata-xmlrpc 2018-04-25 18:25:20 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2018:1247 https://access.redhat.com/errata/RHSA-2018:1247

Comment 6 errata-xmlrpc 2018-04-25 18:36:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2018:1249 https://access.redhat.com/errata/RHSA-2018:1249

Comment 7 errata-xmlrpc 2018-04-25 19:45:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:1251 https://access.redhat.com/errata/RHSA-2018:1251

Comment 11 Doran Moppert 2018-06-19 03:57:42 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1592646]


Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1592647]


Created wildfly tracking bugs for this issue:

Affects: fedora-all [bug 1592645]

Comment 12 errata-xmlrpc 2018-09-04 13:44:55 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643

Comment 14 errata-xmlrpc 2019-04-24 18:46:43 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2019:0877 https://access.redhat.com/errata/RHSA-2019:0877


Note You need to log in before you can comment on or make changes to this bug.