Bug 1177488 (CVE-2020-13956)

Summary: VUL-0: CVE-2020-13956: apache-commons-httpclient,jakarta-commons-httpclient3: incorrect handling of malformed URI authority component
Product: [Novell Products] SUSE Security Incidents Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED WORKSFORME QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/268996/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-13956:5.4:(AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-10-08 15:26:54 UTC
CVE-2020-13956

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can
misinterpret malformed authority component in request URIs passed to
the library as java.net.URI object and pick the wrong target host for
request execution.  

Versions Affected:
Apache HttpClient 4.5.12 and prior 
Apache HttpClient 5.0.2 and prior

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13956
http://seclists.org/oss-sec/2020/q4/34
Comment 2 Wolfgang Frisch 2020-10-08 17:01:15 UTC
Upstream implemented two test cases:

>Assert.assertEquals(null,
>    URIUtils.extractHost(new URI("http://blah@goggle.com:80@google.com/")));
> 
>Assert.assertEquals(null,
>    URIUtils.extractHost(new URI("http://localhost:;sessionid=stuff/abcd")));

We ship a very old version of apache-common-httpclient. Its URIUtil class does not contain an equivalent to URIUtils.extractHost(). The closest function would be:

>new URI("http://blah@goggle.com:80@google.com/", false).getHost();
>new URI("http://localhost:;sessionid=stuff/abcd", false).getHost();

Both test cases raise an exception:

>org.apache.commons.httpclient.URIException: invalid port number

I conclude that we are not affected.