Bug 1702473 (CVE-2019-11324) - CVE-2019-11324 python-urllib3: Certification mishandle when error should be thrown
Summary: CVE-2019-11324 python-urllib3: Certification mishandle when error should be t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11324
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1702474 1702475 1706026 1706765 1707999 1708000 1708001 1708002 1708113 1724437 1724438 1774595 1774601 1774602 1774603 1778099 1805084 1805085 1822422 1822423
Blocks: 1702476
TreeView+ depends on / blocked
 
Reported: 2019-04-23 21:20 UTC by Pedro Sampaio
Modified: 2021-12-14 18:47 UTC (History)
67 users (show)

Fixed In Version: urllib3 1.24.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-06 00:52:34 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3335 0 None None None 2019-11-05 20:38:18 UTC
Red Hat Product Errata RHSA-2019:3590 0 None None None 2019-11-05 21:16:23 UTC
Red Hat Product Errata RHSA-2020:0850 0 None None None 2020-03-17 16:18:33 UTC
Red Hat Product Errata RHSA-2020:1605 0 None None None 2020-04-28 15:29:27 UTC
Red Hat Product Errata RHSA-2020:1916 0 None None None 2020-04-28 16:08:53 UTC
Red Hat Product Errata RHSA-2020:2068 0 None None None 2020-05-12 18:37:55 UTC

Description Pedro Sampaio 2019-04-23 21:20:29 UTC
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.

Upstream patch:

https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4

References:

https://www.openwall.com/lists/oss-security/2019/04/17/3

Comment 1 Pedro Sampaio 2019-04-23 21:20:48 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1702474]


Created python3-urllib3 tracking bugs for this issue:

Affects: epel-all [bug 1702475]

Comment 11 Nick Tait 2019-05-08 22:56:27 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: openstack-rdo [bug 1707999]

Comment 15 Hardik Vyas 2019-05-09 07:33:04 UTC
External References:

https://www.openwall.com/lists/oss-security/2019/04/17/3

Comment 18 Doran Moppert 2019-06-27 06:19:37 UTC
Created python-urllib3 tracking bugs for this issue:

Affects: fedora-all [bug 1724437]

Comment 20 errata-xmlrpc 2019-11-05 20:38:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3335 https://access.redhat.com/errata/RHSA-2019:3335

Comment 21 errata-xmlrpc 2019-11-05 21:16:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3590 https://access.redhat.com/errata/RHSA-2019:3590

Comment 22 Product Security DevOps Team 2019-11-06 00:52:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11324

Comment 23 Tomas Hoger 2019-11-20 14:09:21 UTC
The automatic unconditional loading of system CA certificates was added in version 1.17 via this commit:

https://github.com/urllib3/urllib3/commit/0d06f4e9a320e9d39fbedc4e9ff0d1cf8622a965

The upstream patch linked in comment 0 also includes change other than the fix for this issue.  The part relevant to this CVE is:

https://github.com/urllib3/urllib3/commit/1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1#diff-7c9a38cd64066636d0e73a2449a28640L330

Comment 24 Tomas Hoger 2019-11-20 14:20:29 UTC
Created python-pip tracking bugs for this issue:

Affects: fedora-all [bug 1774595]

Comment 26 Tomas Hoger 2019-11-29 10:23:40 UTC
Created python-virtualenv tracking bugs for this issue:

Affects: fedora-30 [bug 1778099]

Comment 27 errata-xmlrpc 2020-03-17 16:18:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0850 https://access.redhat.com/errata/RHSA-2020:0850

Comment 29 errata-xmlrpc 2020-04-28 15:29:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1605 https://access.redhat.com/errata/RHSA-2020:1605

Comment 30 errata-xmlrpc 2020-04-28 16:08:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1916 https://access.redhat.com/errata/RHSA-2020:1916

Comment 31 errata-xmlrpc 2020-05-12 18:37:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2068 https://access.redhat.com/errata/RHSA-2020:2068

Comment 35 Przemyslaw Roguski 2020-11-30 16:09:09 UTC
Mitigation:

The urllib3 package is used by elastic-curator, which is deployed in the ose-logging-curator, and used by the optional logging feature in OpenShift Container Platform (OCP). Therefore OCP 3.11 users can mitigate this issue by not deploying and using the Curator logging feature. 

In OCP 4 urllib3 is also used by several Ansible Play Book images built with the Operator SDK and available for installation in OCP 4 including openshift-enterprise-ansible-operator and ose-metering-ansible-operator. Therefore those operators should not be deployed in order to mitigate this issue in OCP 4.

Comment 36 Nick Tait 2020-12-19 20:41:17 UTC
Statement:

This issue did not affect the versions of python-urllib3 as shipped with Red Hat Enterprise Linux 6, and 7 as the older code shipped there did not load the system certificates.

Red Hat Satellite 6.2 is on Maintenance Support 2 phase, hence only selected Critical and Important issues will be fixed. Please refer to Red Hat Satellite Product Life Cycle page for more information.

In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-urllib3 package.


Note You need to log in before you can comment on or make changes to this bug.