Bug 1789807 (CVE-2019-16789) - CVE-2019-16789 waitress: HTTP Request Smuggling through Invalid whitespace characters in headers
Summary: CVE-2019-16789 waitress: HTTP Request Smuggling through Invalid whitespace ch...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16789
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1789809 1789810 1790771 1790772 1790774 1790780 1791027 1791028
Blocks: 1789811
TreeView+ depends on / blocked
 
Reported: 2020-01-10 13:38 UTC by Pedro Sampaio
Modified: 2021-02-16 20:47 UTC (History)
18 users (show)

Fixed In Version: waitress 1.4.1
Doc Type: If docs needed, set a value
Doc Text:
An HTTP-interpretation flaw was found in waitress, through version 1.4.0. If a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server, an HTTP request splitting could occur which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation. The highest threat from this vulnerability is data integrity.
Clone Of:
Environment:
Last Closed: 2020-03-05 16:31:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0720 0 None None None 2020-03-05 11:58:08 UTC
Red Hat Product Errata RHSA-2021:0420 0 None None None 2021-02-04 16:14:28 UTC

Description Pedro Sampaio 2020-01-10 13:38:49 UTC 
In Waitress through version 1.4.0, if a proxy server is used in front of waitress, an invalid request may be sent by an attacker that bypasses the front-end and is parsed differently by waitress leading to a potential for HTTP request smuggling. Specially crafted requests containing special whitespace characters in the Transfer-Encoding header would get parsed by Waitress as being a chunked request, but a front-end server would use the Content-Length instead as the Transfer-Encoding header is considered invalid due to containing invalid characters. If a front-end server does HTTP pipelining to a backend Waitress server this could lead to HTTP request splitting which may lead to potential cache poisoning or unexpected information disclosure. This issue is fixed in Waitress 1.4.1 through more strict HTTP field validation. 

Upstream patch:

https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017

References:

https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
Comment 1 Pedro Sampaio 2020-01-10 13:39:18 UTC 
Created python-waitress tracking bugs for this issue:

Affects: epel-all [bug 1789810]
Affects: fedora-all [bug 1789809]
Comment 2 Summer Long 2020-01-14 06:11:49 UTC 
External References:

https://docs.pylonsproject.org/projects/waitress/en/latest/#id2
Comment 6 Jason Shepherd 2020-01-14 07:23:17 UTC 
While Red Hat Quay declares a dependency on python-waitress, it doesn't appear to be used in the code. Setting the impact to low for Red Hat Quay. It may be fixed in a future version.
Comment 8 Summer Long 2020-01-14 07:25:27 UTC 
Created python-waitress tracking bugs for this issue:

Affects: openstack-rdo [bug 1790780]
Comment 14 errata-xmlrpc 2020-03-05 11:57:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 15.0 (Stein)

Via RHSA-2020:0720 https://access.redhat.com/errata/RHSA-2020:0720
Comment 15 Product Security DevOps Team 2020-03-05 16:31:54 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16789
Comment 16 Summer Long 2021-01-14 05:43:15 UTC 
Statement:

All affected Red Hat products ship but do not use the flawed version of python-waitress. The impact for these products is therefore rated as having a security impact of Low.

For Red Hat OpenStack Platform 13,  because the flaw has a lower impact and  the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP13 python-waitress package.
Comment 17 errata-xmlrpc 2021-02-04 16:14:26 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420
Note You need to log in before you can comment on or make changes to this bug.