Bug 1752770 (CVE-2020-1757) - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass
Summary: CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dang...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1757
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1752771
TreeView+ depends on / blocked
 
Reported: 2019-09-17 08:13 UTC by Marian Rehak
Modified: 2020-07-28 15:54 UTC (History)
67 users (show)

Fixed In Version: undertow-2.0.30.SP1 undertow-2.1.0.Final
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Undertow, where the servlet container causes the servletPath to normalize incorrectly by truncating the path after the semicolon. The flaw may lead to application mapping, resulting in a security bypass.
Clone Of:
Environment:
Last Closed: 2020-05-12 10:32:00 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2058 None None None 2020-05-11 20:10:38 UTC
Red Hat Product Errata RHSA-2020:2059 None None None 2020-05-11 20:13:43 UTC
Red Hat Product Errata RHSA-2020:2060 None None None 2020-05-11 20:16:36 UTC
Red Hat Product Errata RHSA-2020:2061 None None None 2020-05-11 20:19:42 UTC
Red Hat Product Errata RHSA-2020:2112 None None None 2020-05-12 17:17:20 UTC
Red Hat Product Errata RHSA-2020:2511 None None None 2020-06-10 19:05:41 UTC
Red Hat Product Errata RHSA-2020:2512 None None None 2020-06-11 07:16:58 UTC
Red Hat Product Errata RHSA-2020:2513 None None None 2020-06-11 07:08:24 UTC
Red Hat Product Errata RHSA-2020:2515 None None None 2020-06-10 19:23:58 UTC
Red Hat Product Errata RHSA-2020:2905 None None None 2020-07-23 07:04:06 UTC
Red Hat Product Errata RHSA-2020:3192 None None None 2020-07-28 15:54:44 UTC

Description Marian Rehak 2019-09-17 08:13:00 UTC
The servletPath is normalized by the Servlet container, and truncated after the semicolon, leading to a partial servletPath. Leading to a full path "/api/public/aa/secret" and servletPath "/api/public/aa" leading to application mapping "/secret". This can lead to a security bypass depending on where and how URL-based security is applied.

Comment 1 Marian Rehak 2019-09-17 12:02:38 UTC
Acknowledgments:

Name: Fedorov Oleksii (LINE Corporation), Keitaro Yamazaki (LINE Corporation), Shiga Ryota (LINE Corporation)

Comment 11 Salvatore Bonaccorso 2020-03-19 06:59:24 UTC
Hi

Ist here any more information available on this issue? Is it reported upstream and fixed? I'm interested to track this issue in other downstreams (in my case Debian) as we ship underdow as  well.

Regards,
Salvatore

Comment 13 Marian Rehak 2020-03-23 08:46:07 UTC
Hello Salvatore,

This issue was reported to us by our private request tracker. All the information available was distilled into this flaw. Perhaps discussing the specifics  with @krathod or @chazlett from the analysis team would be a good approach.

Comment 15 errata-xmlrpc 2020-05-11 20:10:35 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:2058 https://access.redhat.com/errata/RHSA-2020:2058

Comment 16 errata-xmlrpc 2020-05-11 20:13:40 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:2059 https://access.redhat.com/errata/RHSA-2020:2059

Comment 17 errata-xmlrpc 2020-05-11 20:16:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:2060 https://access.redhat.com/errata/RHSA-2020:2060

Comment 18 errata-xmlrpc 2020-05-11 20:19:39 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2061 https://access.redhat.com/errata/RHSA-2020:2061

Comment 19 Product Security DevOps Team 2020-05-12 10:32:00 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1757

Comment 20 errata-xmlrpc 2020-05-12 17:17:17 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign On 7.3.8

Via RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2112

Comment 22 errata-xmlrpc 2020-06-10 19:05:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511

Comment 23 errata-xmlrpc 2020-06-10 19:23:54 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515

Comment 24 errata-xmlrpc 2020-06-11 07:08:20 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513

Comment 25 errata-xmlrpc 2020-06-11 07:16:53 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512

Comment 26 Chess Hazlett 2020-07-20 17:18:43 UTC
Mitigation:

The issue can be mitigated by configuring UrlPathHelper to ignore the servletPath via setting "alwaysUseFullPath".

Comment 27 errata-xmlrpc 2020-07-23 07:04:03 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2905 https://access.redhat.com/errata/RHSA-2020:2905

Comment 28 errata-xmlrpc 2020-07-28 15:54:39 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192


Note You need to log in before you can comment on or make changes to this bug.