Bug 1926885 (CVE-2021-21240) - CVE-2021-21240 python-httplib2: Regular expression denial of service via malicious header
Summary: CVE-2021-21240 python-httplib2: Regular expression denial of service via mali...
Alias: CVE-2021-21240
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1926886 1929179 1929408 1930186 1931438 1931550 1931678
Blocks: 1926887
TreeView+ depends on / blocked
Reported: 2021-02-09 15:44 UTC by Pedro Sampaio
Modified: 2021-06-24 12:35 UTC (History)
33 users (show)

Fixed In Version: httplib2 0.19.0
Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption flaw as found in python-httplib2, due to a flawed regular expression used while parsing the WWW-Authenticate header in an HTTP response. This flaw allows a malicious or compromised server to reply with a crafted sequence of characters in the WWW-Authenticate header, leading to a denial of service of the httplib2 client accessing the server. The highest threat from this vulnerability is to system availability.
Clone Of:
Last Closed: 2021-05-26 17:32:04 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2021-02-09 15:44:37 UTC
httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.



Comment 1 Pedro Sampaio 2021-02-09 15:45:15 UTC
Created python-httplib2 tracking bugs for this issue:

Affects: fedora-all [bug 1926886]

Comment 2 Sage McTaggart 2021-02-09 17:07:02 UTC
Setting ceph2 to OOSS.

Comment 3 Mauro Matteo Cascella 2021-02-16 11:24:56 UTC
Created python-httplib2 tracking bugs for this issue:

Affects: epel-7 [bug 1929179]

Comment 5 Mauro Matteo Cascella 2021-02-18 12:00:12 UTC
External References:


Comment 7 Mauro Matteo Cascella 2021-02-18 15:34:07 UTC

Use strict mode to parse WWW-Authenticate headers. This can be done by setting `httplib2.USE_WWW_AUTH_STRICT_PARSING = True`. Please note, however, that strict mode might lead to bad results in case of ill-formed header values.

Comment 10 Riccardo Schirone 2021-02-22 12:37:20 UTC
RHUI still uses python2, which does not seem to suffer from the same DoS when searching a string with the flawed regular expression. A ValueError is raised instead, which is caught and re-raised as MalformedHeader exception.

Comment 13 Mauro Matteo Cascella 2021-02-23 17:05:51 UTC
The flaw exists in the WWW_AUTH_RELAXED regexp pattern `\s*[^ \t\r\n=]+\s*=` used to parse the WWW-Authenticate HTTP response header. As mentioned in the upstream advisory, a long sequence of '\xa0' characters may cause catastrophic backtracking, making the client susceptible to a ReDoS attack when it receives specially crafted responses from a malicious or compromised server.

The main reason is that backtracking requires the regular expression engine to enumerate all possible solutions, which makes the operation very expensive as it has an exponential cost. Therefore, when the server sends a crafted bogus value, the client will take a very long time to parse the response, potentially causing a denial of service.

Comment 15 Anten Skrabec 2021-03-01 20:52:35 UTC

This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the HTTP client. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP 13 python-httplib2 package.

Comment 16 errata-xmlrpc 2021-05-26 11:43:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:2116 https://access.redhat.com/errata/RHSA-2021:2116

Comment 17 Product Security DevOps Team 2021-05-26 17:32:04 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.