rhsa-2021_2471
Vulnerability from csaf_redhat
Published
2021-06-17 11:35
Modified
2024-09-13 22:45
Summary
Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 security update
Notes
Topic
Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 8 zip release for RHEL 7, RHEL 8 and Microsoft Windows is available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.
This release adds the new Apache HTTP Server 2.4.37 Service Pack 8 packages that are part of the JBoss Core Services offering.
This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 7 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.
Security Fix(es):
* curl: Use-after-free in TLS session handling when using OpenSSL TLS backend (CVE-2021-22901)
* httpd: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618)
* libcurl: partial password leak over DNS on HTTP redirect (CVE-2020-8169)
* curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284)
* curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used (CVE-2020-8285)
* curl: Inferior OCSP verification (CVE-2020-8286)
* curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876)
* curl: TLS 1.3 session ticket mix-up with HTTPS proxy host (CVE-2021-22890)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 8 zip release for RHEL 7, RHEL 8 and Microsoft Windows is available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release adds the new Apache HTTP Server 2.4.37 Service Pack 8 packages that are part of the JBoss Core Services offering.\n\nThis release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 7 and includes bug fixes and enhancements. Refer to the Release Notes for information on the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* curl: Use-after-free in TLS session handling when using OpenSSL TLS backend (CVE-2021-22901)\n\n* httpd: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618)\n\n* libcurl: partial password leak over DNS on HTTP redirect (CVE-2020-8169)\n\n* curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284)\n\n* curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used (CVE-2020-8285)\n\n* curl: Inferior OCSP verification (CVE-2020-8286)\n\n* curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876)\n\n* curl: TLS 1.3 session ticket mix-up with HTTPS proxy host (CVE-2021-22890)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2021:2471",
"url": "https://access.redhat.com/errata/RHSA-2021:2471"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp\u0026downloadType=securityPatches\u0026version=2.4.37",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.apachehttp\u0026downloadType=securityPatches\u0026version=2.4.37"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.openssl\u0026downloadType=securityPatches\u0026version=1.1.1g",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.openssl\u0026downloadType=securityPatches\u0026version=1.1.1g"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.37/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_core_services/2.4.37/"
},
{
"category": "external",
"summary": "1847916",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1847916"
},
{
"category": "external",
"summary": "1902667",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902667"
},
{
"category": "external",
"summary": "1902687",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902687"
},
{
"category": "external",
"summary": "1906096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906096"
},
{
"category": "external",
"summary": "1941964",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941964"
},
{
"category": "external",
"summary": "1941965",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941965"
},
{
"category": "external",
"summary": "1963146",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1963146"
},
{
"category": "external",
"summary": "1968013",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1968013"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2021/rhsa-2021_2471.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP8 security update",
"tracking": {
"current_release_date": "2024-09-13T22:45:11+00:00",
"generator": {
"date": "2024-09-13T22:45:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2021:2471",
"initial_release_date": "2021-06-17T11:35:19+00:00",
"revision_history": [
{
"date": "2021-06-17T11:35:19+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-06-17T11:35:19+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-13T22:45:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "JBoss Core Services Apache HTTP Server 2.4.37 SP8",
"product": {
"name": "JBoss Core Services Apache HTTP Server 2.4.37 SP8",
"product_id": "JBoss Core Services Apache HTTP Server 2.4.37 SP8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_core_services:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Core Services"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8169",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2020-06-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1847916"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in libcurl. A part of a password may be prepended to the host name before the host name is resolved, leading to a leak of the partial password over the network and to DNS servers. This highest threat from this vulnerability is to data confidentiality.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "libcurl: partial password leak over DNS on HTTP redirect",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8169"
},
{
"category": "external",
"summary": "RHBZ#1847916",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1847916"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8169",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8169"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8169",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8169"
},
{
"category": "external",
"summary": "https://curl.haxx.se/docs/CVE-2020-8169.html",
"url": "https://curl.haxx.se/docs/CVE-2020-8169.html"
}
],
"release_date": "2020-06-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "libcurl: partial password leak over DNS on HTTP redirect"
},
{
"acknowledgments": [
{
"names": [
"Varnavas Papaioannou"
]
}
],
"cve": "CVE-2020-8284",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2020-11-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1902667"
}
],
"notes": [
{
"category": "description",
"text": "A malicious server can use the `PASV` response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions. If curl operates on a URL provided by a user, a user can exploit that and pass in a URL to a malicious FTP server instance without needing any server breach to perform the attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "curl: FTP PASV command response can cause curl to connect to arbitrary host",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8284"
},
{
"category": "external",
"summary": "RHBZ#1902667",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902667"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8284",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8284"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8284"
},
{
"category": "external",
"summary": "https://curl.se/docs/CVE-2020-8284.html",
"url": "https://curl.se/docs/CVE-2020-8284.html"
}
],
"release_date": "2020-12-09T08:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2471"
},
{
"category": "workaround",
"details": "This flaw can be mitigated in curl as shipped with Red Hat Enterprise Linux and Red Hat Software Collections when using curl by passing the `--ftp-skip-pasv-ip` command line option to curl. For usage of libcurl, set `CURLOPT_FTP_SKIP_PASV_IP` to `1L`[1]. Note that these mitigations could cause problems in the uncommon instance that the server needs the client to connect back to an IP other than the control connection IP address.\n\n1. https://curl.se/libcurl/c/CURLOPT_FTP_SKIP_PASV_IP.html",
"product_ids": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "curl: FTP PASV command response can cause curl to connect to arbitrary host"
},
{
"acknowledgments": [
{
"names": [
"Varnavas Papaioannou"
]
}
],
"cve": "CVE-2020-8285",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"discovery_date": "2020-11-30T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1902687"
}
],
"notes": [
{
"category": "description",
"text": "Libcurl offers a wildcard matching functionality, which allows a callback (set with `CURLOPT_CHUNK_BGN_FUNCTION`) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. When this callback returns `CURL_CHUNK_BGN_FUNC_SKIP`, to tell libcurl to not deal with that file, the internal function in libcurl then calls itself recursively to handle the next directory entry. If there\u0027s a sufficient amount of file entries and if the callback returns \"skip\" enough number of times, libcurl runs out of stack space. The exact amount will of course vary with platforms, compilers and other environmental factors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8285"
},
{
"category": "external",
"summary": "RHBZ#1902687",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1902687"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8285",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8285"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8285"
},
{
"category": "external",
"summary": "https://curl.se/docs/CVE-2020-8285.html",
"url": "https://curl.se/docs/CVE-2020-8285.html"
},
{
"category": "external",
"summary": "https://github.com/curl/curl/issues/6255",
"url": "https://github.com/curl/curl/issues/6255"
}
],
"release_date": "2020-12-09T08:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2471"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used"
},
{
"cve": "CVE-2020-8286",
"cwe": {
"id": "CWE-295",
"name": "Improper Certificate Validation"
},
"discovery_date": "2020-12-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1906096"
}
],
"notes": [
{
"category": "description",
"text": "Libcurl offers \"OCSP stapling\" via the CURLOPT_SSL_VERIFYSTATUS option. When set, libcurl verifies the OCSP response that a server responds with as part of the TLS handshake. It then aborts the TLS negotiation if something is wrong with the response. The same feature can be enabled with --cert-status using the curl tool. As part of the OCSP response verification, a client should verify that the response is indeed set out for the correct certificate. This step was not performed by libcurl when built or told to use OpenSSL as TLS backend.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "curl: Inferior OCSP verification",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-8286"
},
{
"category": "external",
"summary": "RHBZ#1906096",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1906096"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-8286",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8286"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-8286",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8286"
},
{
"category": "external",
"summary": "https://curl.se/docs/CVE-2020-8286.html",
"url": "https://curl.se/docs/CVE-2020-8286.html"
}
],
"release_date": "2020-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "curl: Inferior OCSP verification"
},
{
"acknowledgments": [
{
"names": [
"the Curl project"
]
},
{
"names": [
"Viktor Szakats"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2021-22876",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-03-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1941964"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that libcurl did not remove authentication credentials from URLs when automatically populating the Referer HTTP request header while handling HTTP redirects. This could lead to exposure of the credentials to the server to which requests were redirected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "curl: Leak of authentication credentials in URL via automatic Referer",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22876"
},
{
"category": "external",
"summary": "RHBZ#1941964",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941964"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22876",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22876"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22876"
}
],
"release_date": "2021-03-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2471"
},
{
"category": "workaround",
"details": "This issue can be avoided by using at least one of the following recommendations:\n\n* Do not enable automatic generation of Referer headers when redirects are followed. This functionality is not enabled by default. In the curl command line tool, it is enabled using the -e \u0027;auto\u0027 or --referer \u0027;auto\u0027 command line options. In the libcurl library, it is enabled using the CURLOPT_AUTOREFERER option.\n\n* Do not include authentication credentials in URLs (in the form of https://username:password@example.com), use other methods to provide authentication credentials to curl / libcurl. For the curl command line tool, use -u or --user command line option. For the libcurl library, use CURLOPT_USERPWD or CURLOPT_USERNAME / CURLOPT_PASSWORD options.",
"product_ids": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "curl: Leak of authentication credentials in URL via automatic Referer"
},
{
"acknowledgments": [
{
"names": [
"the Curl project"
]
},
{
"names": [
"Mingtao Yang"
],
"organization": "Facebook",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2021-22890",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2021-03-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1941965"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the way libcurl handled TLS 1.3 session tickets. A malicious HTTPS proxy could possibly use this flaw to make libcurl resume a TLS session it previously had with the proxy while intending to resume a TLS session with a target server, making it possible for the proxy to perform a man-in-the-middle attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "curl: TLS 1.3 session ticket mix-up with HTTPS proxy host",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22890"
},
{
"category": "external",
"summary": "RHBZ#1941965",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1941965"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22890",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22890"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22890",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22890"
},
{
"category": "external",
"summary": "https://curl.se/docs/CVE-2021-22890.html",
"url": "https://curl.se/docs/CVE-2021-22890.html"
}
],
"release_date": "2021-03-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "curl: TLS 1.3 session ticket mix-up with HTTPS proxy host"
},
{
"acknowledgments": [
{
"names": [
"the Curl project"
]
},
{
"names": [
"Harry Sintonen"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2021-22901",
"cwe": {
"id": "CWE-416",
"name": "Use After Free"
},
"discovery_date": "2019-05-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1963146"
}
],
"notes": [
{
"category": "description",
"text": "A use-after-free flaw was found in the way curl handled TLS session data. The curl versions using the OpenSSL library as their TLS backend could use freed memory after TLS session renegotiation was performed by the OpenSSL library. A malicious TLS server could use this flaw to crash or, possibly, execute arbitrary code with the privileges of a client application using the curl library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "curl: Use-after-free in TLS session handling when using OpenSSL TLS backend",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-22901"
},
{
"category": "external",
"summary": "RHBZ#1963146",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1963146"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-22901",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22901"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-22901",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22901"
},
{
"category": "external",
"summary": "https://curl.se/docs/CVE-2021-22901.html",
"url": "https://curl.se/docs/CVE-2021-22901.html"
}
],
"release_date": "2021-05-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2021:2471"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"JBoss Core Services Apache HTTP Server 2.4.37 SP8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "curl: Use-after-free in TLS session handling when using OpenSSL TLS backend"
}
]
}
Loading...