When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Upstream Advisory: https://curl.se/docs/CVE-2021-22890.html
According to upstream advisory, this issue was introduced via the following commit first included in curl version 7.63.0: https://github.com/curl/curl/commit/549310e907e The curl packages in Red Hat Enterprise Linux 8 and earlier, and the httpd24-curl packages in Red Hat Software Collections are based on older curl versions which do not include the mentioned change and are therefore not affected by this issue. Upstream advisory also notes that this only affects curl versions using OpenSSL as its TLS/SSL backend. The issue can occur when using TLS 1.3 and HTTPS proxy (and not the traditional HTTP proxy).
Acknowledgments: Name: the Curl project Upstream: Mingtao Yang (Facebook)
External References: https://curl.se/docs/CVE-2021-22890.html
Created curl tracking bugs for this issue: Affects: fedora-all [bug 1945059]
Upstream commit: https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP8 Via RHSA-2021:2471 https://access.redhat.com/errata/RHSA-2021:2471
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:2472 https://access.redhat.com/errata/RHSA-2021:2472
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-22890