Bug 1197255 - (CVE-2022-24761) VUL-0: CVE-2022-24761: python-waitress: Inconsistent Interpretation of HTTP Requests leading to request smuggling
(CVE-2022-24761)
VUL-0: CVE-2022-24761: python-waitress: Inconsistent Interpretation of HTTP R...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: package coldpool
Security Team bot
https://smash.suse.de/issue/326545/
CVSSv3.1:SUSE:CVE-2022-24761:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-17 17:14 UTC by Thomas Leroy
Modified: 2022-08-11 14:06 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
calmeidadeoliveira: needinfo? (thomas.leroy)
gianluca.gabrielli: needinfo? (mcepl)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-17 17:14:01 UTC
rh#2065086

When using Waitress behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends.
This would allow requests to be smuggled via the front-end proxy to waitress and later behavior.

Affected Versions <=2.1.0.

References:
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
https://bugs.gentoo.org/835492

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2065086
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24761
https://github.com/Pylons/waitress/commit/9e0b8c801e4d505c2ffc91b891af4ba48af715e0
https://github.com/Pylons/waitress/security/advisories/GHSA-4f7p-27jc-3c36
https://github.com/Pylons/waitress/releases/tag/v2.1.1
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24761
Comment 1 Thomas Leroy 2022-03-17 17:17:21 UTC
Affected codestreams:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
- SUSE:SLE-15:Update
- openSUSE:Factory
Comment 3 OBSbugzilla Bot 2022-03-18 18:00:04 UTC
This is an autogenerated message for OBS integration:
This bug (1197255) was mentioned in
https://build.opensuse.org/request/show/962909 Factory / python-waitress
Comment 4 Christian Almeida de Oliveira 2022-03-25 14:45:23 UTC
Hi Thomas, 
please let me know if the explanation in comment #2 is Ok for you for the SOC impacted parts.

Thanks in advance
Comment 13 Christian Almeida de Oliveira 2022-03-30 15:58:22 UTC
based on comment #12, back to Security team.
Comment 17 Thomas Leroy 2022-04-06 08:10:22 UTC
This is a public comment for eventual customer questions: for SOC deployments, we choose the workaround instead of fixing python-waitress. The incoming packets will always be RFC7230 thanks to the fronting proxy. Therefore the request smuggling is not exploitable.
Comment 21 Gianluca Gabrielli 2022-08-11 13:19:42 UTC
Matej is python-waitress under your wing or is it handled by the coldpool team?