Bug 1995234 (CVE-2021-3733) - CVE-2021-3733 python: urllib: Regular expression DoS in AbstractBasicAuthHandler
Summary: CVE-2021-3733 python: urllib: Regular expression DoS in AbstractBasicAuthHandler
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3733
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1996117 1996118 1996119 1996120 1996134 1997860 1997863 1997857 1997858 1997861 1997862 1997864 1997865 2000681 2000682 2000683 2000684 2000685 2000686 2000687 2000688 2001098 2001099 2002980
Blocks: 1995235
TreeView+ depends on / blocked
 
Reported: 2021-08-18 16:33 UTC by Pedro Sampaio
Modified: 2021-11-09 17:27 UTC (History)
33 users (show)

Fixed In Version: python 3.6.14, python 3.7.11, python 3.8.10, python 3.9.5
Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
Clone Of:
Environment:
Last Closed: 2021-11-02 14:07:50 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4057 0 None None None 2021-11-02 08:43:27 UTC
Red Hat Product Errata RHSA-2021:4160 0 None None None 2021-11-09 17:27:27 UTC

Description Pedro Sampaio 2021-08-18 16:33:37 UTC
The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.

References:

https://bugs.python.org/issue43075
https://github.com/python/cpython/pull/24391

Comment 6 Todd Cullum 2021-08-26 23:06:49 UTC
Flaw summary:

Class AbstractBasicAuthHandler in Python's Lib/urllib/request.py uses a regex pattern `([^ \t]+)` in handling of the HTTP Basic Access Authentication Scheme[1]. This pattern allows for a quadratic time complexity ReDoS to occur when a crafted payload is processed. This flaw is similar to BZ#1809065 but the underlying cause is different; the portion of regex that creates the flaw is different, and the triggering payload is different.


1. https://datatracker.ietf.org/doc/html/rfc2617#section-2

Comment 9 Todd Cullum 2021-09-02 17:19:54 UTC
Created mingw-python3 tracking bugs for this issue:

Affects: fedora-all [bug 2000683]


Created python2.7 tracking bugs for this issue:

Affects: fedora-all [bug 2000681]


Created python3.5 tracking bugs for this issue:

Affects: fedora-all [bug 2000685]


Created python3.6 tracking bugs for this issue:

Affects: fedora-all [bug 2000686]


Created python3.7 tracking bugs for this issue:

Affects: fedora-all [bug 2000687]


Created python3.8 tracking bugs for this issue:

Affects: fedora-all [bug 2000684]


Created python3.9 tracking bugs for this issue:

Affects: fedora-all [bug 2000688]


Created python34 tracking bugs for this issue:

Affects: epel-7 [bug 2000682]

Comment 10 Miro Hrončok 2021-09-02 17:29:24 UTC
Todd, what is the purpose of opening the Fedora bugzillas when we already have the fixed versions?

Comment 11 Todd Cullum 2021-09-02 18:03:42 UTC
In reply to comment #10:
> Todd, what is the purpose of opening the Fedora bugzillas when we already
> have the fixed versions?

We usually open them mostly for tracking purposes AFAIK. Typically they are opened immediately when each flaw is filed, but in this case, they didn't get opened right away. Sorry for the delay there - had to work out a kink with the PSModules for Fedora with the Incoming team.

Comment 12 Petr Viktorin 2021-09-03 08:06:15 UTC
> We usually open them mostly for tracking purposes AFAIK.

Do you know who requires this tracking, and why?
If they're really necessary, can you close them after opening?

Comment 16 errata-xmlrpc 2021-11-02 08:43:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4057 https://access.redhat.com/errata/RHSA-2021:4057

Comment 17 Product Security DevOps Team 2021-11-02 14:07:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3733

Comment 18 errata-xmlrpc 2021-11-09 17:27:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160


Note You need to log in before you can comment on or make changes to this bug.