Bug 1886587 (CVE-2020-13956) - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs
Summary: CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13956
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1936848 1887784 1887785 1887786 1887787 1887788 1936847 1936849 1936850 1936851 2052905
Blocks: 1886588
TreeView+ depends on / blocked
 
Reported: 2020-10-08 20:10 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-05-10 13:54 UTC (History)
101 users (show)

Fixed In Version: httpclient 4.5.13, httpclient 5.0.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-12 18:27:39 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0084 0 None None None 2021-01-12 16:43:32 UTC
Red Hat Product Errata RHSA-2021:0246 0 None None None 2021-01-25 16:29:08 UTC
Red Hat Product Errata RHSA-2021:0247 0 None Waiting on Red Hat Hostgroup deletion breaks openscap 2022-05-26 16:53:11 UTC
Red Hat Product Errata RHSA-2021:0248 0 None None None 2021-01-25 16:38:27 UTC
Red Hat Product Errata RHSA-2021:0250 0 None None None 2021-01-25 16:19:26 UTC
Red Hat Product Errata RHSA-2021:0327 0 None None None 2021-02-01 18:56:36 UTC
Red Hat Product Errata RHSA-2021:0603 0 None None None 2021-02-17 13:40:27 UTC
Red Hat Product Errata RHSA-2021:0811 0 None None None 2021-03-11 17:50:02 UTC
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:23:27 UTC
Red Hat Product Errata RHSA-2021:3700 0 None None None 2021-09-30 09:57:43 UTC
Red Hat Product Errata RHSA-2021:4100 0 None None None 2021-11-02 12:42:42 UTC
Red Hat Product Errata RHSA-2022:0722 0 None None None 2022-03-01 14:18:39 UTC
Red Hat Product Errata RHSA-2022:1860 0 None None None 2022-05-10 13:54:13 UTC
Red Hat Product Errata RHSA-2022:1861 0 None None None 2022-05-10 13:54:35 UTC

Description Guilherme de Almeida Suckevicz 2020-10-08 20:10:15 UTC
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Comment 1 Ted Jongseok Won 2020-10-09 05:01:42 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss Operations Network 3
 * Red Hat Data Grid 7
 * Red Hat JBoss AMQ 6
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Data Virtualization 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 9 Jonathan Christison 2020-10-12 14:23:08 UTC
Red Hat AMQ 7 has a low impact, although Artemis uses and distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods

Comment 11 Jonathan Christison 2020-10-12 14:56:59 UTC
Red Hat AMQ Streams has a low impact, although the Kafka cruise control uses and distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods

Comment 13 Jonathan Christison 2020-10-12 15:12:27 UTC
Red Hat Integration Camel K has a low impact, although Camel K distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods

Comment 15 Jonathan Christison 2020-10-12 15:26:01 UTC
Red Hat Integration Service Registry has a low impact, although Apicurio-registry distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods

Comment 18 Chess Hazlett 2020-10-12 21:01:17 UTC
External References:

https://www.openwall.com/lists/oss-security/2020/10/08/4

Comment 24 errata-xmlrpc 2021-01-12 16:43:30 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 1.7.6

Via RHSA-2021:0084 https://access.redhat.com/errata/RHSA-2021:0084

Comment 25 Product Security DevOps Team 2021-01-12 18:27:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13956

Comment 26 errata-xmlrpc 2021-01-25 16:19:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2021:0250 https://access.redhat.com/errata/RHSA-2021:0250

Comment 27 errata-xmlrpc 2021-01-25 16:29:02 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:0246 https://access.redhat.com/errata/RHSA-2021:0246

Comment 28 errata-xmlrpc 2021-01-25 16:33:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:0247 https://access.redhat.com/errata/RHSA-2021:0247

Comment 29 errata-xmlrpc 2021-01-25 16:38:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:0248 https://access.redhat.com/errata/RHSA-2021:0248

Comment 30 errata-xmlrpc 2021-02-01 18:57:16 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.5

Via RHSA-2021:0327 https://access.redhat.com/errata/RHSA-2021:0327

Comment 32 errata-xmlrpc 2021-02-17 13:40:23 UTC
This issue has been addressed in the following products:

  RHDM 7.10.0

Via RHSA-2021:0603 https://access.redhat.com/errata/RHSA-2021:0603

Comment 34 errata-xmlrpc 2021-03-11 17:49:57 UTC
This issue has been addressed in the following products:

  Red Hat Integration - Camel K - Tech-Preview 3

Via RHSA-2021:0811 https://access.redhat.com/errata/RHSA-2021:0811

Comment 36 Cedric Buissart 2021-03-29 08:39:59 UTC
Statement:

In OpenShift Container Platform (OCP) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable httpclient library to authenticated users only. Additionally the vulnerable httpclient library is not used directly in OCP components, therefore the impact by this vulnerability is Low.
In OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.

In the Red Hat Enterprise Linux platforms, Maven 35 and 36 are affected via their respective `httpcomponents-client` component.

Comment 37 errata-xmlrpc 2021-03-30 16:31:20 UTC
This issue has been addressed in the following products:

  RHPAM 7.10.1

Via RHSA-2021:1044 https://access.redhat.com/errata/RHSA-2021:1044

Comment 41 errata-xmlrpc 2021-08-11 18:23:21 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140

Comment 42 errata-xmlrpc 2021-09-30 09:57:38 UTC
This issue has been addressed in the following products:

  Red Hat AMQ 7.9.0

Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700

Comment 44 errata-xmlrpc 2021-11-02 12:42:38 UTC
This issue has been addressed in the following products:

  RHINT Service Registry 2.0.2 GA

Via RHSA-2021:4100 https://access.redhat.com/errata/RHSA-2021:4100

Comment 45 errata-xmlrpc 2022-03-01 14:18:34 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0722 https://access.redhat.com/errata/RHSA-2022:0722

Comment 46 errata-xmlrpc 2022-05-10 13:54:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1860 https://access.redhat.com/errata/RHSA-2022:1860

Comment 47 errata-xmlrpc 2022-05-10 13:54:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1861 https://access.redhat.com/errata/RHSA-2022:1861


Note You need to log in before you can comment on or make changes to this bug.