Bug 1191681 - (CVE-2021-41136) VUL-1: CVE-2021-41136: rubygem-puma: request smuggling if HTTP header value contains the LF character
(CVE-2021-41136)
VUL-1: CVE-2021-41136: rubygem-puma: request smuggling if HTTP header value c...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/312399/
CVSSv3.1:SUSE:CVE-2021-41136:3.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-15 07:47 UTC by Gabriele Sonnu
Modified: 2022-05-04 13:17 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2021-10-15 07:47:41 UTC
Using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Upstream Advisory:

https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2013495
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41136
https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41136
Comment 1 Gabriele Sonnu 2021-10-15 07:48:53 UTC
Affected packages:

 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/rubygem-puma  2.16.0
 - SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/rubygem-puma  2.16.0
 - SUSE:SLE-15:Update/rubygem-puma                             4.3.5
 - openSUSE:Backports:SLE-15-SP2/rubygem-puma                  3.11.0
 - openSUSE:Factory/rubygem-puma                               5.5.0
 - openSUSE:Factory/rubygem-puma-4                             4.3.8
 - openSUSE:Factory/rubygem-puma-4.1                           4.1.1

Upstream fix:

https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
Comment 11 Swamp Workflow Management 2021-11-19 17:23:54 UTC
SUSE-SU-2021:3729-1: An update that solves four vulnerabilities, contains one feature and has one errata is now available.

Category: security (moderate)
Bug References: 1180837,1185836,1186868,1189052,1191681
CVE References: CVE-2020-26298,CVE-2021-21419,CVE-2021-22141,CVE-2021-41136
JIRA References: SOC-11543
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    crowbar-openstack-6.0+git.1630614261.26948f746-3.37.2, influxdb-1.3.8-4.6.1, kibana-4.6.6-4.12.1, openstack-cinder-13.0.10~dev23-3.31.2, openstack-ec2-api-7.1.1~dev6-3.3.2, openstack-heat-gbp-12.0.1~dev4-3.6.1, openstack-heat-templates-0.0.0+git.1628179051.7d761bff-3.12.1, openstack-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1, openstack-keystone-14.2.1~dev7-3.25.2, openstack-neutron-gbp-14.0.1~dev19-3.28.1, openstack-nova-18.3.1~dev91-3.40.1, python-eventlet-0.20.0-8.3.1, rubygem-puma-2.16.0-4.15.1, rubygem-redcarpet-3.2.3-4.3.1
SUSE OpenStack Cloud 9 (src):    ardana-ansible-9.0+git.1628097238.f6cbb0e-3.29.1, ardana-monasca-9.0+git.1627995376.30bdf85-3.25.1, influxdb-1.3.8-4.6.1, kibana-4.6.6-4.12.1, openstack-cinder-13.0.10~dev23-3.31.2, openstack-ec2-api-7.1.1~dev6-3.3.2, openstack-heat-gbp-12.0.1~dev4-3.6.1, openstack-heat-templates-0.0.0+git.1628179051.7d761bff-3.12.1, openstack-horizon-plugin-gbp-ui-12.0.1~dev5-3.6.1, openstack-keystone-14.2.1~dev7-3.25.2, openstack-neutron-gbp-14.0.1~dev19-3.28.1, openstack-nova-18.3.1~dev91-3.40.1, python-eventlet-0.20.0-8.3.1, venv-openstack-barbican-7.0.1~dev24-3.25.1, venv-openstack-cinder-13.0.10~dev23-3.28.1, venv-openstack-designate-7.0.2~dev2-3.25.1, venv-openstack-glance-17.0.1~dev30-3.23.1, venv-openstack-heat-11.0.4~dev4-3.25.1, venv-openstack-horizon-14.1.1~dev11-4.29.1, venv-openstack-ironic-11.1.5~dev17-4.23.1, venv-openstack-keystone-14.2.1~dev7-3.26.1, venv-openstack-magnum-7.2.1~dev1-4.25.1, venv-openstack-manila-7.4.2~dev60-3.31.1, venv-openstack-monasca-2.7.1~dev10-3.23.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.25.1, venv-openstack-neutron-13.0.8~dev164-6.29.1, venv-openstack-nova-18.3.1~dev91-3.29.1, venv-openstack-octavia-3.2.3~dev7-4.25.1, venv-openstack-sahara-9.0.2~dev15-3.25.1, venv-openstack-swift-2.19.2~dev48-2.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-11-19 17:25:19 UTC
SUSE-SU-2021:3728-1: An update that fixes two vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1180837,1191681
CVE References: CVE-2020-26298,CVE-2021-41136
JIRA References: SOC-11543
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    documentation-suse-openstack-cloud-deployment-8.20210806-1.35.1, documentation-suse-openstack-cloud-supplement-8.20210806-1.35.1, documentation-suse-openstack-cloud-upstream-admin-8.20210806-1.35.1, documentation-suse-openstack-cloud-upstream-user-8.20210806-1.35.1, openstack-ec2-api-5.0.1~dev12-4.9.1, openstack-heat-templates-0.0.0+git.1628179051.7d761bf-3.24.1, python-Django-1.11.29-3.28.1, python-monasca-common-2.3.1~dev4-4.9.1, rubygem-puma-2.16.0-3.15.1, rubygem-redcarpet-3.2.3-3.3.1
SUSE OpenStack Cloud 8 (src):    ardana-ansible-8.0+git.1632499354.a56668f-3.82.1, ardana-monasca-8.0+git.1627997000.6c3bc04-3.30.1, documentation-suse-openstack-cloud-installation-8.20210806-1.35.1, documentation-suse-openstack-cloud-operations-8.20210806-1.35.1, documentation-suse-openstack-cloud-opsconsole-8.20210806-1.35.1, documentation-suse-openstack-cloud-planning-8.20210806-1.35.1, documentation-suse-openstack-cloud-security-8.20210806-1.35.1, documentation-suse-openstack-cloud-supplement-8.20210806-1.35.1, documentation-suse-openstack-cloud-upstream-admin-8.20210806-1.35.1, documentation-suse-openstack-cloud-upstream-user-8.20210806-1.35.1, documentation-suse-openstack-cloud-user-8.20210806-1.35.1, openstack-ec2-api-5.0.1~dev12-4.9.1, openstack-heat-templates-0.0.0+git.1628179051.7d761bf-3.24.1, python-Django-1.11.29-3.28.1, python-monasca-common-2.3.1~dev4-4.9.1, venv-openstack-heat-9.0.8~dev22-12.35.1, venv-openstack-horizon-12.0.5~dev6-14.38.2, venv-openstack-monasca-2.2.2~dev1-11.30.1
HPE Helion Openstack 8 (src):    ardana-ansible-8.0+git.1632499354.a56668f-3.82.1, ardana-monasca-8.0+git.1627997000.6c3bc04-3.30.1, documentation-hpe-helion-openstack-installation-8.20210806-1.35.1, documentation-hpe-helion-openstack-operations-8.20210806-1.35.1, documentation-hpe-helion-openstack-opsconsole-8.20210806-1.35.1, documentation-hpe-helion-openstack-planning-8.20210806-1.35.1, documentation-hpe-helion-openstack-security-8.20210806-1.35.1, documentation-hpe-helion-openstack-user-8.20210806-1.35.1, openstack-ec2-api-5.0.1~dev12-4.9.1, openstack-heat-templates-0.0.0+git.1628179051.7d761bf-3.24.1, python-Django-1.11.29-3.28.1, python-monasca-common-2.3.1~dev4-4.9.1, venv-openstack-heat-9.0.8~dev22-12.35.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.38.1, venv-openstack-monasca-2.2.2~dev1-11.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Christian Almeida de Oliveira 2021-11-23 07:43:38 UTC
SOC fixes delivered in the last MU. Back to Security team.
Comment 16 Swamp Workflow Management 2022-05-04 13:17:17 UTC
SUSE-SU-2022:1515-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1188527,1191681,1196222
CVE References: CVE-2021-29509,CVE-2021-41136,CVE-2022-23634
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    rubygem-puma-4.3.11-150000.3.6.2
openSUSE Leap 15.3 (src):    rubygem-puma-4.3.11-150000.3.6.2
SUSE Linux Enterprise High Availability 15-SP4 (src):    rubygem-puma-4.3.11-150000.3.6.2
SUSE Linux Enterprise High Availability 15-SP3 (src):    rubygem-puma-4.3.11-150000.3.6.2
SUSE Linux Enterprise High Availability 15-SP2 (src):    rubygem-puma-4.3.11-150000.3.6.2
SUSE Linux Enterprise High Availability 15-SP1 (src):    rubygem-puma-4.3.11-150000.3.6.2
SUSE Linux Enterprise High Availability 15 (src):    rubygem-puma-4.3.11-150000.3.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.