Bug 1172175 (CVE-2020-11077)

Summary: VUL-0: CVE-2020-11077: rubygem-puma: client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: atoptsoglou, dakechi, gabriele.sonnu, johannes.grassler, kberger, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/259858/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-11077:6.8:(AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2020-05-27 12:19:40 UTC
CVE-2020-11077

In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request
through a proxy, causing the proxy to send a response back to another unknown
client. If the proxy uses persistent connections and the client adds another
request in via HTTP pipelining, the proxy may mistake it as the first request's
body. Puma, however, would see it as two requests, and when processing the
second request, send back a response that the proxy does not expect. If the
proxy has reused the persistent connection to Puma to send another request for a
different client, the second response from the first client will be sent to the
second client. This is a similar but different vulnerability from
CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11077
http://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-11077.html
https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11077
https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
Comment 13 Swamp Workflow Management 2020-07-14 16:18:11 UTC
SUSE-SU-2020:1901-1: An update that solves 23 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1068612,1092420,1107190,1108719,1123872,1126503,1141968,11483483,1148383,1153191,1156525,1159046,1160152,1160153,1160192,1160790,1160851,1161088,1161089,1161670,1164322,1167244,1168593,1169770,1170657,1171273,1171560,1171594,1171661,1171909,1172166,1172167,1172175,1172176,1172409
CVE References: CVE-2017-1000246,CVE-2019-1010083,CVE-2019-15043,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-18874,CVE-2019-19911,CVE-2019-3828,CVE-2020-10663,CVE-2020-10743,CVE-2020-11076,CVE-2020-11077,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5312,CVE-2020-5313,CVE-2020-5390,CVE-2020-8151
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    ansible-2.4.6.0-3.9.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.18.1, crowbar-core-5.0+git.1593156248.55bbdb26d-3.41.2, crowbar-openstack-5.0+git.1593085772.64c4ab43c-4.40.2, documentation-suse-openstack-cloud-deployment-8.20200527-1.26.1, documentation-suse-openstack-cloud-supplement-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-admin-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-user-8.20200527-1.26.1, grafana-4.6.5-4.9.1, kibana-4.6.3-3.3.1, openstack-dashboard-12.0.5~dev3-3.26.1, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.15.1, openstack-keystone-12.0.4~dev11-5.33.2, openstack-keystone-doc-12.0.4~dev11-5.33.2, openstack-monasca-agent-2.2.6~dev4-3.18.1, openstack-monasca-installer-20190923_16.32-3.12.1, openstack-neutron-11.0.9~dev65-3.33.2, openstack-neutron-doc-11.0.9~dev65-3.33.2, openstack-octavia-amphora-image-0.1.4-3.12.2, python-Django-1.11.23-3.15.1, python-Flask-0.12.1-3.3.1, python-Pillow-4.2.1-3.5.1, python-amqp-2.4.2-3.12.1, python-apicapi-1.6.0-3.6.1, python-keystoneauth1-3.1.2~dev2-3.3.1, python-oslo.messaging-5.30.8-3.11.1, python-psutil-5.2.2-3.3.1, python-pyroute2-0.4.21-3.3.1, python-pysaml2-4.0.2-5.6.1, python-tooz-1.58.1-3.3.1, python-waitress-1.4.3-3.3.1, rubygem-activeresource-4.0.0-3.3.1, rubygem-crowbar-client-3.9.2-3.12.1, rubygem-json-1_7-1.7.7-3.3.1, rubygem-puma-2.16.0-3.9.1, storm-1.1.3-3.3.1
SUSE OpenStack Cloud 8 (src):    ansible-2.4.6.0-3.9.1, ansible1-1.9.6-7.3.1, ardana-ansible-8.0+git.1589740980.6c3bcdc-3.73.1, ardana-cluster-8.0+git.1585685203.3e71e49-3.36.1, ardana-freezer-8.0+git.1586539529.b7d295f-3.21.1, ardana-input-model-8.0+git.1589740934.0e0ad61-3.39.1, ardana-logging-8.0+git.1591194866.b7375d0-3.24.1, ardana-mq-8.0+git.1589715269.62ad6df-3.22.1, ardana-neutron-8.0+git.1590756744.ba84abc-3.42.1, ardana-octavia-8.0+git.1590100427.cf4cc8f-3.29.1, ardana-osconfig-8.0+git.1587034587.eac37b8-3.45.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.18.1, documentation-suse-openstack-cloud-installation-8.20200527-1.26.1, documentation-suse-openstack-cloud-operations-8.20200527-1.26.1, documentation-suse-openstack-cloud-opsconsole-8.20200527-1.26.1, documentation-suse-openstack-cloud-planning-8.20200527-1.26.1, documentation-suse-openstack-cloud-security-8.20200527-1.26.1, documentation-suse-openstack-cloud-supplement-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-admin-8.20200527-1.26.1, documentation-suse-openstack-cloud-upstream-user-8.20200527-1.26.1, documentation-suse-openstack-cloud-user-8.20200527-1.26.1, grafana-4.6.5-4.9.1, kibana-4.6.3-3.3.1, openstack-dashboard-12.0.5~dev3-3.26.1, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.15.1, openstack-keystone-12.0.4~dev11-5.33.2, openstack-keystone-doc-12.0.4~dev11-5.33.2, openstack-monasca-agent-2.2.6~dev4-3.18.1, openstack-monasca-installer-20190923_16.32-3.12.1, openstack-neutron-11.0.9~dev65-3.33.2, openstack-neutron-doc-11.0.9~dev65-3.33.2, openstack-octavia-amphora-image-0.1.4-3.12.2, python-Django-1.11.23-3.15.1, python-Flask-0.12.1-3.3.1, python-GitPython-2.1.8-3.3.1, python-Pillow-4.2.1-3.5.1, python-amqp-2.4.2-3.12.1, python-apicapi-1.6.0-3.6.1, python-keystoneauth1-3.1.2~dev2-3.3.1, python-oslo.messaging-5.30.8-3.11.1, python-psutil-5.2.2-3.3.1, python-pyroute2-0.4.21-3.3.1, python-pysaml2-4.0.2-5.6.1, python-tooz-1.58.1-3.3.1, python-waitress-1.4.3-3.3.1, storm-1.1.3-3.3.1, venv-openstack-aodh-5.1.1~dev7-12.26.2, venv-openstack-barbican-5.0.2~dev3-12.27.2, venv-openstack-ceilometer-9.0.8~dev7-12.24.2, venv-openstack-cinder-11.2.3~dev23-14.27.2, venv-openstack-designate-5.0.3~dev7-12.25.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.22.1, venv-openstack-glance-15.0.3~dev3-12.25.1, venv-openstack-heat-9.0.8~dev22-12.27.1, venv-openstack-horizon-12.0.5~dev3-14.30.1, venv-openstack-ironic-9.1.8~dev8-12.27.2, venv-openstack-keystone-12.0.4~dev11-11.28.2, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.26.2, venv-openstack-manila-5.1.1~dev5-12.31.2, venv-openstack-monasca-2.2.2~dev1-11.22.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.22.2, venv-openstack-murano-4.0.2~dev2-12.22.1, venv-openstack-neutron-11.0.9~dev65-13.30.2, venv-openstack-nova-16.1.9~dev61-11.28.2, venv-openstack-octavia-1.0.6~dev3-12.27.2, venv-openstack-sahara-7.0.5~dev4-11.26.2, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.18.1, venv-openstack-trove-8.0.2~dev2-11.26.1
HPE Helion Openstack 8 (src):    ansible-2.4.6.0-3.9.1, ansible1-1.9.6-7.3.1, ardana-ansible-8.0+git.1589740980.6c3bcdc-3.73.1, ardana-cluster-8.0+git.1585685203.3e71e49-3.36.1, ardana-freezer-8.0+git.1586539529.b7d295f-3.21.1, ardana-input-model-8.0+git.1589740934.0e0ad61-3.39.1, ardana-logging-8.0+git.1591194866.b7375d0-3.24.1, ardana-mq-8.0+git.1589715269.62ad6df-3.22.1, ardana-neutron-8.0+git.1590756744.ba84abc-3.42.1, ardana-octavia-8.0+git.1590100427.cf4cc8f-3.29.1, ardana-osconfig-8.0+git.1587034587.eac37b8-3.45.1, caasp-openstack-heat-templates-1.0+git.1560518045.ad7dc6d-4.18.1, documentation-hpe-helion-openstack-installation-8.20200527-1.26.1, documentation-hpe-helion-openstack-operations-8.20200527-1.26.1, documentation-hpe-helion-openstack-opsconsole-8.20200527-1.26.1, documentation-hpe-helion-openstack-planning-8.20200527-1.26.1, documentation-hpe-helion-openstack-security-8.20200527-1.26.1, documentation-hpe-helion-openstack-user-8.20200527-1.26.1, grafana-4.6.5-4.9.1, kibana-4.6.3-3.3.1, openstack-dashboard-12.0.5~dev3-3.26.1, openstack-dashboard-theme-HPE-8+git.1523473653.6599ec8-3.3.1, openstack-heat-templates-0.0.0+git.1582270132.8a20477-3.15.1, openstack-keystone-12.0.4~dev11-5.33.2, openstack-keystone-doc-12.0.4~dev11-5.33.2, openstack-monasca-agent-2.2.6~dev4-3.18.1, openstack-monasca-installer-20190923_16.32-3.12.1, openstack-neutron-11.0.9~dev65-3.33.2, openstack-neutron-doc-11.0.9~dev65-3.33.2, openstack-octavia-amphora-image-0.1.4-3.12.2, python-Django-1.11.23-3.15.1, python-Flask-0.12.1-3.3.1, python-GitPython-2.1.8-3.3.1, python-Pillow-4.2.1-3.5.1, python-amqp-2.4.2-3.12.1, python-apicapi-1.6.0-3.6.1, python-keystoneauth1-3.1.2~dev2-3.3.1, python-oslo.messaging-5.30.8-3.11.1, python-psutil-5.2.2-3.3.1, python-pyroute2-0.4.21-3.3.1, python-pysaml2-4.0.2-5.6.1, python-tooz-1.58.1-3.3.1, python-waitress-1.4.3-3.3.1, storm-1.1.3-3.3.1, venv-openstack-aodh-5.1.1~dev7-12.26.2, venv-openstack-barbican-5.0.2~dev3-12.27.2, venv-openstack-ceilometer-9.0.8~dev7-12.24.2, venv-openstack-cinder-11.2.3~dev23-14.27.2, venv-openstack-designate-5.0.3~dev7-12.25.2, venv-openstack-freezer-5.0.0.0~xrc2~dev2-10.22.1, venv-openstack-glance-15.0.3~dev3-12.25.1, venv-openstack-heat-9.0.8~dev22-12.27.1, venv-openstack-horizon-hpe-12.0.5~dev3-14.30.1, venv-openstack-ironic-9.1.8~dev8-12.27.2, venv-openstack-keystone-12.0.4~dev11-11.28.2, venv-openstack-magnum-5.0.2_5.0.2_5.0.2~dev31-11.26.2, venv-openstack-manila-5.1.1~dev5-12.31.2, venv-openstack-monasca-2.2.2~dev1-11.22.3, venv-openstack-monasca-ceilometer-1.5.1_1.5.1_1.5.1~dev3-8.22.2, venv-openstack-murano-4.0.2~dev2-12.22.1, venv-openstack-neutron-11.0.9~dev65-13.30.2, venv-openstack-nova-16.1.9~dev61-11.28.2, venv-openstack-octavia-1.0.6~dev3-12.27.2, venv-openstack-sahara-7.0.5~dev4-11.26.2, venv-openstack-swift-2.15.2_2.15.2_2.15.2~dev32-11.18.1, venv-openstack-trove-8.0.2~dev2-11.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-07-15 13:20:23 UTC
SUSE-SU-2020:1919-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1172175,1172176
CVE References: CVE-2020-11076,CVE-2020-11077
Sources used:
SUSE Linux Enterprise High Availability 15-SP2 (src):    rubygem-puma-4.3.5-3.3.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    rubygem-puma-4.3.5-3.3.1
SUSE Linux Enterprise High Availability 15 (src):    rubygem-puma-4.3.5-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-07-18 16:15:21 UTC
openSUSE-SU-2020:0990-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1172175,1172176
CVE References: CVE-2020-11076,CVE-2020-11077
Sources used:
openSUSE Leap 15.1 (src):    rubygem-puma-4.3.5-lp151.3.3.1
Comment 16 Swamp Workflow Management 2020-07-18 22:15:31 UTC
openSUSE-SU-2020:1001-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1172175,1172176
CVE References: CVE-2020-11076,CVE-2020-11077
Sources used:
openSUSE Leap 15.2 (src):    rubygem-puma-4.3.5-lp152.4.3.1
Comment 17 Swamp Workflow Management 2020-07-28 19:12:43 UTC
SUSE-SU-2020:2060-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1158675,1165402,1172175,1172176
CVE References: CVE-2019-16770,CVE-2020-11076,CVE-2020-11077,CVE-2020-5247
JIRA References: 
Sources used:
SUSE OpenStack Cloud 6-LTSS (src):    rubygem-puma-2.16.0-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-07-29 19:16:40 UTC
SUSE-RU-2020:2072-1: An update that solves 31 vulnerabilities and has 8 fixes is now available.

Category: recommended (low)
Bug References: 1037777,1068612,1069468,1070737,1077718,1083903,1111657,1126503,1133817,1135773,1138748,1148383,1149110,1149535,1153191,1156525,1159447,1160152,1160153,1160192,1160790,1160851,1161088,1161089,1161349,1161670,1164316,1165402,1167244,1170657,1171560,1171909,1172166,1172167,1172175,1172176,1172409,948198,981848
CVE References: CVE-2017-1000246,CVE-2017-4965,CVE-2017-4967,CVE-2018-1000115,CVE-2019-0201,CVE-2019-11596,CVE-2019-15026,CVE-2019-15043,CVE-2019-16785,CVE-2019-16786,CVE-2019-16789,CVE-2019-16792,CVE-2019-16865,CVE-2019-18874,CVE-2019-19844,CVE-2019-19911,CVE-2019-3498,CVE-2019-3828,CVE-2020-10663,CVE-2020-10743,CVE-2020-11076,CVE-2020-11077,CVE-2020-12052,CVE-2020-13254,CVE-2020-13379,CVE-2020-13596,CVE-2020-5247,CVE-2020-5312,CVE-2020-5313,CVE-2020-5390,CVE-2020-8151
JIRA References: ECO-1256,SOC-10357,SOC-11067,SOC-11077,SOC-11079,SOC-11082,SOC-11122,SOC-11174,SOC-11187,SOC-11224,SOC-11238,SOC-11243,SOC-11248,SOC-11251,SOC-11286,SOC-9298,SOC-9801
Sources used:
SUSE OpenStack Cloud 7 (src):    ansible-2.2.3.0-12.2, crowbar-core-4.0+git.1580209654.1d112d31f-9.66.5, crowbar-ha-4.0+git.1585316203.d6ad2c8-4.52.4, crowbar-openstack-4.0+git.1589804581.9972163f0-9.71.4, grafana-4.6.5-1.14.1, keepalived-2.0.19-1.8.1, kibana-4.6.3-5.1, memcached-1.5.17-3.6.1, monasca-installer-20180608_12.47-12.1, openstack-dashboard-theme-SUSE-2016.2-5.12.4, openstack-manila-3.0.1~dev30-4.12.2, openstack-manila-doc-3.0.1~dev30-4.12.3, openstack-neutron-fwaas-9.0.2~dev5-4.9.3, openstack-neutron-fwaas-doc-9.0.2~dev5-4.9.4, openstack-nova-14.0.11~dev13-4.40.2, openstack-nova-doc-14.0.11~dev13-4.40.2, openstack-tempest-12.2.1~a0~dev177-4.9.1, python-Django-1.8.19-3.23.1, python-Pillow-2.8.1-4.12.1, python-psql2mysql-0.5.0+git.1589351878.4ef877c-1.12.1, python-psutil-1.2.1-21.1, python-py-1.8.1-11.12.1, python-pysaml2-4.0.2-3.17.1, python-waitress-1.4.3-3.3.1, rabbitmq-server-3.4.4-3.16.1, release-notes-suse-openstack-cloud-7.20180803-3.18.3, rubygem-activeresource-4.0.0-3.3.1, rubygem-crowbar-client-3.9.2-7.20.1, rubygem-json-1_7-1.7.7-3.3.1, rubygem-puma-2.16.0-4.6.1, zookeeper-3.4.10-6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Gabriele Sonnu 2022-04-14 15:42:45 UTC
Done.