Bug 1197255 - (CVE-2022-24761) VUL-0: CVE-2022-24761: python-waitress: Inconsistent Interpretation of HTTP Requests leading to request smuggling
VUL-0: CVE-2022-24761: python-waitress: Inconsistent Interpretation of HTTP R...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: package coldpool
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-03-17 17:14 UTC by Thomas Leroy
Modified: 2022-08-11 14:06 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
calmeidadeoliveira: needinfo? (thomas.leroy)
gianluca.gabrielli: needinfo? (mcepl)


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-17 17:14:01 UTC

When using Waitress behind a proxy that does not properly validate the incoming HTTP request matches the RFC7230 standard, Waitress and the frontend proxy may disagree on where one request starts and where it ends.
This would allow requests to be smuggled via the front-end proxy to waitress and later behavior.

Affected Versions <=2.1.0.


Comment 1 Thomas Leroy 2022-03-17 17:17:21 UTC
Affected codestreams:
- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update
- SUSE:SLE-12-SP4:Update:Products:Cloud9:Update
- SUSE:SLE-15:Update
- openSUSE:Factory
Comment 3 OBSbugzilla Bot 2022-03-18 18:00:04 UTC
This is an autogenerated message for OBS integration:
This bug (1197255) was mentioned in
https://build.opensuse.org/request/show/962909 Factory / python-waitress
Comment 4 Christian Almeida de Oliveira 2022-03-25 14:45:23 UTC
Hi Thomas, 
please let me know if the explanation in comment #2 is Ok for you for the SOC impacted parts.

Thanks in advance
Comment 13 Christian Almeida de Oliveira 2022-03-30 15:58:22 UTC
based on comment #12, back to Security team.
Comment 17 Thomas Leroy 2022-04-06 08:10:22 UTC
This is a public comment for eventual customer questions: for SOC deployments, we choose the workaround instead of fixing python-waitress. The incoming packets will always be RFC7230 thanks to the fronting proxy. Therefore the request smuggling is not exploitable.
Comment 21 Gianluca Gabrielli 2022-08-11 13:19:42 UTC
Matej is python-waitress under your wing or is it handled by the coldpool team?