2152639 – (CVE-2022-43551) CVE-2022-43551 curl: HSTS bypass via IDN

Bug 2152639 (CVE-2022-43551) - CVE-2022-43551 curl: HSTS bypass via IDN

Summary: CVE-2022-43551 curl: HSTS bypass via IDN

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-43551
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2155433 2155434
Blocks:	2152645
TreeView+	depends on / blocked

Reported:	2022-12-12 15:21 UTC by Marian Rehak
Modified:	2023-06-05 18:16 UTC (History)
CC List:	17 users (show)
Fixed In Version:	curl 7.87.0
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in curl. The issue can occur when curl's HSTS check is bypassed to trick it to keep using HTTP. Using its HSTS support, curl can be instructed to use HTTPS instead of an insecure clear-text HTTP step even when providing HTTP in the URL. Suppose the hostname in the given URL first uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion. In that case, it can bypass the HSTS mechanism using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop (U+002E). Then in a subsequent request, it does not detect the HSTS state and makes a clear text transfer. Because it would store the information, IDN encoded but looked for it as IDN decoded.
Clone Of:
Environment:
Last Closed:	2023-06-05 18:16:20 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:3354	0	None	None	None	2023-06-05 11:50:53 UTC
Red Hat Product Errata	RHSA-2023:3355	0	None	None	None	2023-06-05 11:47:01 UTC

Description Marian Rehak 2022-12-12 15:21:46 UTC

Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP step even when HTTP is provided in the URL.

Reference:

https://curl.se/docs/CVE-2022-43551.html

Comment 2 Sandipan Roy 2022-12-21 09:06:52 UTC

Created curl tracking bugs for this issue:

Affects: fedora-all [bug 2155433]


Created mingw-curl tracking bugs for this issue:

Affects: fedora-all [bug 2155434]

Comment 3 errata-xmlrpc 2023-06-05 11:46:59 UTC

This issue has been addressed in the following products:

  JBCS httpd 2.4.51.sp2

Via RHSA-2023:3355 https://access.redhat.com/errata/RHSA-2023:3355

Comment 4 errata-xmlrpc 2023-06-05 11:50:51 UTC

This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:3354 https://access.redhat.com/errata/RHSA-2023:3354

Comment 5 Product Security DevOps Team 2023-06-05 18:16:18 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-43551

Note You need to log in before you can comment on or make changes to this bug.