Bug 1185916 – VUL-0: CVE-2021-31806: squid,squid3: SQUID-2021:4 Multiple Issues in HTTP Range header

Bug 1185916 - (CVE-2021-31806) VUL-0: CVE-2021-31806: squid,squid3: SQUID-2021:4 Multiple Issues in HTTP Range header

(CVE-2021-31806)
Summary:	VUL-0: CVE-2021-31806: squid,squid3: SQUID-2021:4 Multiple Issues in HTTP Ran...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/283972/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-31806:6.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-05-11 13:46 UTC by Gianluca Gabrielli
Modified:	2022-10-16 16:28 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gianluca Gabrielli 2021-05-11 13:46:49 UTC

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31806

Due to an incorrect input validation bug Squid is vulnerable to
a Denial of Service attack against all clients using the proxy.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31807

Due to an incorrect memory management bug Squid is vulnerable to
a Denial of Service attack against all clients using the proxy.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31808

Due to an integer overflow bug Squid is vulnerable to a Denial
of Service attack against all clients using the proxy.
Severity:

These problems all allow a trusted client to perform Denial of
Service when making HTTP Range requests.

The integer overflow problem allows a remote server to perform
Denial of Service when delivering responses to HTTP Range
requests. The issue trigger is a header which can be expected to
exist in HTTP traffic without any malicious intent.

CVSS Score of 8.0
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C/CR:X/IR:X/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:X/MI:X/MA:H&version=3.1
Updated Packages:
This bug is fixed by Squid versions 4.15 and 5.0.6.

In addition, patches addressing this problem for the stable
releases can be found in our patch archives:
Squid 4:

http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch
Squid 5:

http://www.squid-cache.org/Versions/v5/changesets/squid-5-6bf66733c122804fada7f5839ef5f3b57e57591c.patch

If you are using a prepackaged version of Squid then please refer
to the package vendor for availability information on updated
packages.
Determining if your version is vulnerable:

Squid older than 3.5.28 have not been tested and should be
assumed to be vulnerable.

All Squid-4.x up to and including 4.14 are vulnerable.

All Squid-5.x up to and including 5.0.5 are vulnerable.
Workaround:

There are no workarounds known for these problems.
Contact details for the Squid project:

For installation / upgrade support on binary packaged versions
of Squid: Your first point of contact should be your binary
package vendor.

If you install and build Squid from the original Squid sources
then the squid-users@lists.squid-cache.org mailing list is your
primary support point. For subscription details see
http://www.squid-cache.org/Support/mailing-lists.html.

For reporting of non-security bugs in the latest STABLE release
the squid bugzilla database should be used
http://bugs.squid-cache.org/.

For reporting of security sensitive bugs send an email to the
squid-bugs@lists.squid-cache.org mailing list. It's a closed
list (though anyone can post) and security related bug reports
are treated in confidence until the impact has been established.
Credits:

This vulnerability was discovered by Joshua Rogers of Opera
Software.

Fixed by Alex Rousskov of The Measurement Factory.
Revision history:

2021-03-19 06:49:52 UTC Initial Report of Denial of Service
2021-03-24 08:51:08 UTC Additional Report of Use-After-Free
2021-03-25 21:57:07 UTC Additional Report of integer-overflow

END

Comment 1 Gianluca Gabrielli 2021-05-11 13:53:12 UTC

Affected packages:

- SUSE:SLE-12-SP2:Update/squid   3.5.21
- SUSE:SLE-12-SP5:Update/squid   4.13
- SUSE:SLE-15:Update/squid       4.13
- openSUSE:Factory/squid         4.14

Patch 4.x [0]
Patch 5.x [1]

[0] http://www.squid-cache.org/Versions/v4/changesets/squid-4-e7cf864f938f24eea8af0692c04d16790983c823.patch
[1] http://www.squid-cache.org/Versions/v5/changesets/squid-5-6bf66733c122804fada7f5839ef5f3b57e57591c.patch

Comment 4 Swamp Workflow Management 2021-06-02 19:27:44 UTC

SUSE-SU-2021:1838-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1171164,1171569,1183436,1185916,1185918,1185919,1185921,1185923
CVE References: CVE-2020-25097,CVE-2021-28651,CVE-2021-28652,CVE-2021-28662,CVE-2021-31806
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    squid-4.15-4.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Swamp Workflow Management 2021-06-11 16:31:57 UTC

SUSE-SU-2021:1961-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1171164,1171569,1183436,1185916,1185918,1185919,1185921,1185923
CVE References: CVE-2020-25097,CVE-2021-28651,CVE-2021-28652,CVE-2021-28662,CVE-2021-31806
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    squid-4.15-5.26.1
SUSE Manager Retail Branch Server 4.0 (src):    squid-4.15-5.26.1
SUSE Manager Proxy 4.0 (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Server for SAP 15 (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Server 15-LTSS (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    squid-4.15-5.26.1
SUSE Linux Enterprise Module for Server Applications 15-SP2 (src):    squid-4.15-5.26.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    squid-4.15-5.26.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    squid-4.15-5.26.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    squid-4.15-5.26.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    squid-4.15-5.26.1
SUSE Enterprise Storage 6 (src):    squid-4.15-5.26.1
SUSE CaaS Platform 4.0 (src):    squid-4.15-5.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2021-06-16 19:59:32 UTC

openSUSE-SU-2021:0879-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1171164,1171569,1183436,1185916,1185918,1185919,1185921,1185923
CVE References: CVE-2020-25097,CVE-2021-28651,CVE-2021-28652,CVE-2021-28662,CVE-2021-31806
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    squid-4.15-lp152.2.9.1

Comment 7 Swamp Workflow Management 2021-07-11 13:22:28 UTC

openSUSE-SU-2021:1961-1: An update that solves 5 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1171164,1171569,1183436,1185916,1185918,1185919,1185921,1185923
CVE References: CVE-2020-25097,CVE-2021-28651,CVE-2021-28652,CVE-2021-28662,CVE-2021-31806
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    squid-4.15-5.26.1