Bug 1886587 (CVE-2020-13956) - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs
Summary: CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority c...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13956
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1887784 1887785 1887786 1887787 1887788 1936847 1936848 1936849 1936850 1936851 2052905
Blocks: 1886588
TreeView+ depends on / blocked
 
Reported: 2020-10-08 20:10 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-06-29 20:07 UTC (History)
103 users (show)

Fixed In Version: httpclient 4.5.13, httpclient 5.0.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-12 18:27:39 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0084 0 None None None 2021-01-12 16:43:32 UTC
Red Hat Product Errata RHSA-2021:0246 0 None None None 2021-01-25 16:29:08 UTC
Red Hat Product Errata RHSA-2021:0247 0 None Waiting on Red Hat Hostgroup deletion breaks openscap 2022-05-26 16:53:11 UTC
Red Hat Product Errata RHSA-2021:0248 0 None None None 2021-01-25 16:38:27 UTC
Red Hat Product Errata RHSA-2021:0250 0 None None None 2021-01-25 16:19:26 UTC
Red Hat Product Errata RHSA-2021:0327 0 None None None 2021-02-01 18:56:36 UTC
Red Hat Product Errata RHSA-2021:0603 0 None None None 2021-02-17 13:40:27 UTC
Red Hat Product Errata RHSA-2021:0811 0 None None None 2021-03-11 17:50:02 UTC
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:23:27 UTC
Red Hat Product Errata RHSA-2021:3700 0 None None None 2021-09-30 09:57:43 UTC
Red Hat Product Errata RHSA-2021:4100 0 None None None 2021-11-02 12:42:42 UTC
Red Hat Product Errata RHSA-2022:0722 0 None None None 2022-03-01 14:18:39 UTC
Red Hat Product Errata RHSA-2022:1860 0 None None None 2022-05-10 13:54:13 UTC
Red Hat Product Errata RHSA-2022:1861 0 None None None 2022-05-10 13:54:35 UTC
Red Hat Product Errata RHSA-2023:3954 0 None None None 2023-06-29 20:07:33 UTC

Description Guilherme de Almeida Suckevicz 2020-10-08 20:10:15 UTC 
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Comment 1 Ted Jongseok Won 2020-10-09 05:01:42 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss Operations Network 3
 * Red Hat Data Grid 7
 * Red Hat JBoss AMQ 6
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Data Virtualization 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 9 Jonathan Christison 2020-10-12 14:23:08 UTC 
Red Hat AMQ 7 has a low impact, although Artemis uses and distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods
Comment 11 Jonathan Christison 2020-10-12 14:56:59 UTC 
Red Hat AMQ Streams has a low impact, although the Kafka cruise control uses and distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods
Comment 13 Jonathan Christison 2020-10-12 15:12:27 UTC 
Red Hat Integration Camel K has a low impact, although Camel K distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods
Comment 15 Jonathan Christison 2020-10-12 15:26:01 UTC 
Red Hat Integration Service Registry has a low impact, although Apicurio-registry distributes vulnerable versions of the apache httpcomponents library it does not use the vulnerable `org.apache.http.client.utils.URIUtils` class or its methods
Comment 18 Chess Hazlett 2020-10-12 21:01:17 UTC 
External References:

https://www.openwall.com/lists/oss-security/2020/10/08/4
Comment 24 errata-xmlrpc 2021-01-12 16:43:30 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 1.7.6

Via RHSA-2021:0084 https://access.redhat.com/errata/RHSA-2021:0084
Comment 25 Product Security DevOps Team 2021-01-12 18:27:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13956
Comment 26 errata-xmlrpc 2021-01-25 16:19:22 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2021:0250 https://access.redhat.com/errata/RHSA-2021:0250
Comment 27 errata-xmlrpc 2021-01-25 16:29:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:0246 https://access.redhat.com/errata/RHSA-2021:0246
Comment 28 errata-xmlrpc 2021-01-25 16:33:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:0247 https://access.redhat.com/errata/RHSA-2021:0247
Comment 29 errata-xmlrpc 2021-01-25 16:38:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:0248 https://access.redhat.com/errata/RHSA-2021:0248
Comment 30 errata-xmlrpc 2021-02-01 18:57:16 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.5

Via RHSA-2021:0327 https://access.redhat.com/errata/RHSA-2021:0327
Comment 32 errata-xmlrpc 2021-02-17 13:40:23 UTC 
This issue has been addressed in the following products:

  RHDM 7.10.0

Via RHSA-2021:0603 https://access.redhat.com/errata/RHSA-2021:0603
Comment 34 errata-xmlrpc 2021-03-11 17:49:57 UTC 
This issue has been addressed in the following products:

  Red Hat Integration - Camel K - Tech-Preview 3

Via RHSA-2021:0811 https://access.redhat.com/errata/RHSA-2021:0811
Comment 36 Cedric Buissart 2021-03-29 08:39:59 UTC 
Statement:

In OpenShift Container Platform (OCP) the affected components are behind OpenShift OAuth authentication. This restricts access to the vulnerable httpclient library to authenticated users only. Additionally the vulnerable httpclient library is not used directly in OCP components, therefore the impact by this vulnerability is Low.
In OCP 4 there are no plans to maintain ose-logging-elasticsearch5 container, hence marked as wontfix.

In the Red Hat Enterprise Linux platforms, Maven 35 and 36 are affected via their respective `httpcomponents-client` component.
Comment 37 errata-xmlrpc 2021-03-30 16:31:20 UTC 
This issue has been addressed in the following products:

  RHPAM 7.10.1

Via RHSA-2021:1044 https://access.redhat.com/errata/RHSA-2021:1044
Comment 41 errata-xmlrpc 2021-08-11 18:23:21 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
Comment 42 errata-xmlrpc 2021-09-30 09:57:38 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ 7.9.0

Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
Comment 44 errata-xmlrpc 2021-11-02 12:42:38 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.0.2 GA

Via RHSA-2021:4100 https://access.redhat.com/errata/RHSA-2021:4100
Comment 45 errata-xmlrpc 2022-03-01 14:18:34 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0722 https://access.redhat.com/errata/RHSA-2022:0722
Comment 46 errata-xmlrpc 2022-05-10 13:54:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1860 https://access.redhat.com/errata/RHSA-2022:1860
Comment 47 errata-xmlrpc 2022-05-10 13:54:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1861 https://access.redhat.com/errata/RHSA-2022:1861
Comment 51 errata-xmlrpc 2023-06-29 20:07:29 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.12

Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
Note You need to log in before you can comment on or make changes to this bug.