httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of "\xa0" characters in the "www-authenticate" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library. References: https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc https://github.com/httplib2/httplib2/pull/182 https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m https://pypi.org/project/httplib2
Created python-httplib2 tracking bugs for this issue: Affects: fedora-all [bug 1926886]
Setting ceph2 to OOSS.
Created python-httplib2 tracking bugs for this issue: Affects: epel-7 [bug 1929179]
External References: https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m
Mitigation: Use strict mode to parse WWW-Authenticate headers. This can be done by setting `httplib2.USE_WWW_AUTH_STRICT_PARSING = True`. Please note, however, that strict mode might lead to bad results in case of ill-formed header values.
RHUI still uses python2, which does not seem to suffer from the same DoS when searching a string with the flawed regular expression. A ValueError is raised instead, which is caught and re-raised as MalformedHeader exception.
The flaw exists in the WWW_AUTH_RELAXED regexp pattern `\s*[^ \t\r\n=]+\s*=` used to parse the WWW-Authenticate HTTP response header. As mentioned in the upstream advisory, a long sequence of '\xa0' characters may cause catastrophic backtracking, making the client susceptible to a ReDoS attack when it receives specially crafted responses from a malicious or compromised server. The main reason is that backtracking requires the regular expression engine to enumerate all possible solutions, which makes the operation very expensive as it has an exponential cost. Therefore, when the server sends a crafted bogus value, the client will take a very long time to parse the response, potentially causing a denial of service.
Statement: This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the HTTP client. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP 13 python-httplib2 package.
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:2116 https://access.redhat.com/errata/RHSA-2021:2116
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-21240