Bug 1197255 (CVE-2022-24761)

Summary: VUL-0: CVE-2022-24761: python-waitress: Inconsistent Interpretation of HTTP Requests leading to request smuggling
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: calmeidadeoliveira, cathy.hu, daniel.garcia, dmueller, doreilly, fmccarthy, gabriele.sonnu, gianluca.gabrielli, mark.harvey, mcepl, pgajdos, smash_bz, stoyan.manolov, thomas.leroy
Version: unspecifiedFlags: calmeidadeoliveira: needinfo? (thomas.leroy)
gianluca.gabrielli: needinfo? (mcepl)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/326545/
Whiteboard: CVSSv3.1:SUSE:CVE-2022-24761:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2022-03-17 17:14:01 UTC
rh#2065086

When using Waitress behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends.
This would allow requests to be smuggled via the front-end proxy to waitress and later behavior.

Affected Versions <=2.1.0.

References:
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
https://bugs.gentoo.org/835492

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2065086
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24761
https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
https://github.com/Pylons/waitress/releases/tag/v2.1.1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761
Comment 1 Thomas Leroy 2022-03-17 17:17:21 UTC
Affected codestreams:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
- SUSE:SLE-15:Update
- openSUSE:Factory
Comment 3 OBSbugzilla Bot 2022-03-18 18:00:04 UTC
This is an autogenerated message for OBS integration:
This bug (1197255) was mentioned in
https://build.opensuse.org/request/show/962909 Factory / python-waitress
Comment 4 Christian Almeida de Oliveira 2022-03-25 14:45:23 UTC
Hi Thomas, 
please let me know if the explanation in comment #2 is Ok for you for the SOC impacted parts.

Thanks in advance
Comment 13 Christian Almeida de Oliveira 2022-03-30 15:58:22 UTC
based on comment #12, back to Security team.
Comment 17 Thomas Leroy 2022-04-06 08:10:22 UTC
This is a public comment for eventual customer questions: for SOC deployments, we choose the workaround instead of fixing python-waitress. The incoming packets will always be RFC7230 thanks to the fronting proxy. Therefore the request smuggling is not exploitable.
Comment 21 Gianluca Gabrielli 2022-08-11 13:19:42 UTC
Matej is python-waitress under your wing or is it handled by the coldpool team?
Comment 23 Petr Gajdos 2022-08-22 12:52:05 UTC
$ isc maintainer python-waitress --email
Defined in package: SUSE:SLE-15:GA/python-waitress 
  bugowner of python-waitress : 
   cloud-bugs@suse.de

  maintainer of python-waitress : 
   -

$