ID

VAR-202104-0334

CVE

CVE-2021-22876

TITLE

Haxx libcurl Information disclosure vulnerability

DESCRIPTION

curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Private Personal Information to an Unauthorized Actor" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request. This could lead to exposure of the credentials to the server to which requests were redirected. (CVE-2021-22876) A vulnerability was found in curl where a flaw in the option parser for sending NEW_ENV variables libcurl can pass uninitialized data from a stack-based buffer to the server. This issue leads to potentially revealing sensitive internal information to the server using a clear-text network protocol. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22898). Summary: Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 8 zip release for RHEL 7, RHEL 8 and Microsoft Windows is available. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 Service Pack 8 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 7 and includes bug fixes and enhancements. Security Fix(es): * curl: Use-after-free in TLS session handling when using OpenSSL TLS backend (CVE-2021-22901) * httpd: NULL pointer dereference on specially crafted HTTP/2 request (CVE-2021-31618) * libcurl: partial password leak over DNS on HTTP redirect (CVE-2020-8169) * curl: FTP PASV command response can cause curl to connect to arbitrary host (CVE-2020-8284) * curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used (CVE-2020-8285) * curl: Inferior OCSP verification (CVE-2020-8286) * curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876) * curl: TLS 1.3 session ticket mix-up with HTTPS proxy host (CVE-2021-22890) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. Bugs fixed (https://bugzilla.redhat.com/): 1847916 - CVE-2020-8169 libcurl: partial password leak over DNS on HTTP redirect 1902667 - CVE-2020-8284 curl: FTP PASV command response can cause curl to connect to arbitrary host 1902687 - CVE-2020-8285 curl: Malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used 1906096 - CVE-2020-8286 curl: Inferior OCSP verification 1941964 - CVE-2021-22876 curl: Leak of authentication credentials in URL via automatic Referer 1941965 - CVE-2021-22890 curl: TLS 1.3 session ticket mix-up with HTTPS proxy host 1963146 - CVE-2021-22901 curl: Use-after-free in TLS session handling when using OpenSSL TLS backend 1968013 - CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request 5. Bugs fixed (https://bugzilla.redhat.com/): 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1775 - [release-5.2] Syslog output is serializing json incorrectly LOG-1824 - [release-5.2] Rejected by Elasticsearch and unexpected json-parsing LOG-1963 - [release-5.2] CLO panic: runtime error: slice bounds out of range [:-1] LOG-1970 - Applying cluster state is causing elasticsearch to hit an issue and become unusable 6. ========================================================================== Ubuntu Security Notice USN-4903-1 April 07, 2021 curl vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 ESM Summary: curl could be made to expose sensitive information over the network. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM: curl 7.35.0-1ubuntu2.20+esm7 libcurl3 7.35.0-1ubuntu2.20+esm7 libcurl3-gnutls 7.35.0-1ubuntu2.20+esm7 libcurl3-nss 7.35.0-1ubuntu2.20+esm7 In general, a standard system update will make all the necessary changes. Red Hat OpenShift Container Storage is highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provides a multicloud data management service with an S3 compatible API. Security Fix(es): * nodejs-ssh2: Command injection by calling vulnerable method with untrusted input (CVE-2020-26301) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Previously, when the namespace store target was deleted, no alert was sent to the namespace bucket because of an issue in calculating the namespace bucket health. With this update, the issue in calculating the namespace bucket health is fixed and alerts are triggered as expected. (BZ#1993873) * Previously, the Multicloud Object Gateway (MCG) components performed slowly and there was a lot of pressure on the MCG components due to non-optimized database queries. With this update the non-optimized database queries are fixed which reduces the compute resources and time taken for queries. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1993873 - [4.8.z clone] Alert NooBaaNamespaceBucketErrorState is not triggered when namespacestore's target bucket is deleted 2006958 - CVE-2020-26301 nodejs-ssh2: Command injection by calling vulnerable method with untrusted input 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: ACS 3.67 security and enhancement update Advisory ID: RHSA-2021:4902-01 Product: RHACS Advisory URL: https://access.redhat.com/errata/RHSA-2021:4902 Issue date: 2021-12-01 CVE Names: CVE-2018-20673 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 CVE-2020-12762 CVE-2020-13435 CVE-2020-14155 CVE-2020-16135 CVE-2020-24370 CVE-2020-27304 CVE-2021-3200 CVE-2021-3445 CVE-2021-3580 CVE-2021-3749 CVE-2021-3800 CVE-2021-3801 CVE-2021-20231 CVE-2021-20232 CVE-2021-20266 CVE-2021-22876 CVE-2021-22898 CVE-2021-22925 CVE-2021-23343 CVE-2021-23840 CVE-2021-23841 CVE-2021-27645 CVE-2021-28153 CVE-2021-29923 CVE-2021-32690 CVE-2021-33560 CVE-2021-33574 CVE-2021-35942 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-39293 ===================================================================== 1. Summary: Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The release of RHACS 3.67 provides the following new features, bug fixes, security patches and system changes: OpenShift Dedicated support RHACS 3.67 is thoroughly tested and supported on OpenShift Dedicated on Amazon Web Services and Google Cloud Platform. 1. Use OpenShift OAuth server as an identity provider If you are using RHACS with OpenShift, you can now configure the built-in OpenShift OAuth server as an identity provider for RHACS. 2. Enhancements for CI outputs Red Hat has improved the usability of RHACS CI integrations. CI outputs now show additional detailed information about the vulnerabilities and the security policies responsible for broken builds. 3. Runtime Class policy criteria Users can now use RHACS to define the container runtime configuration that may be used to run a pod’s containers using the Runtime Class policy criteria. Security Fix(es): * civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API (CVE-2020-27304) * nodejs-axios: Regular expression denial of service in trim function (CVE-2021-3749) * nodejs-prismjs: ReDoS vulnerability (CVE-2021-3801) * golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet (CVE-2021-29923) * helm: information disclosure vulnerability (CVE-2021-32690) * golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) (CVE-2021-39293) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fixes The release of RHACS 3.67 includes the following bug fixes: 1. Previously, when using RHACS with the Compliance Operator integration, RHACS did not respect or populate Compliance Operator TailoredProfiles. This has been fixed. 2. Previously, the Alpine Linux package manager (APK) in Image policy looked for the presence of apk package in the image rather than the apk-tools package. This issue has been fixed. System changes The release of RHACS 3.67 includes the following system changes: 1. Scanner now identifies vulnerabilities in Ubuntu 21.10 images. 2. The Port exposure method policy criteria now include route as an exposure method. 3. The OpenShift: Kubeadmin Secret Accessed security policy now allows the OpenShift Compliance Operator to check for the existence of the Kubeadmin secret without creating a violation. 4. The OpenShift Compliance Operator integration now supports using TailoredProfiles. 5. The RHACS Jenkins plugin now provides additional security information. 6. When you enable the environment variable ROX_NETWORK_ACCESS_LOG for Central, the logs contain the Request URI and X-Forwarded-For header values. 7. The default uid:gid pair for the Scanner image is now 65534:65534. 8. RHACS adds a new default Scope Manager role that includes minimum permissions to create and modify access scopes. 9. If microdnf is part of an image or shows up in process execution, RHACS reports it as a security violation for the Red Hat Package Manager in Image or the Red Hat Package Manager Execution security policies. 10. In addition to manually uploading vulnerability definitions in offline mode, you can now upload definitions in online mode. 11. You can now format the output of the following roxctl CLI commands in table, csv, or JSON format: image scan, image check & deployment check 12. You can now use a regular expression for the deployment name while specifying policy exclusions 3. Solution: To take advantage of these new features, fixes and changes, please upgrade Red Hat Advanced Cluster Security for Kubernetes to version 3.67. 4. Bugs fixed (https://bugzilla.redhat.com/): 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe 1978144 - CVE-2021-32690 helm: information disclosure vulnerability 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1999784 - CVE-2021-3749 nodejs-axios: Regular expression denial of service in trim function 2005445 - CVE-2021-3801 nodejs-prismjs: ReDoS vulnerability 2006044 - CVE-2021-39293 golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196) 2016640 - CVE-2020-27304 civetweb: directory traversal when using the built-in example HTTP form-based file upload mechanism via the mg_handle_form_request API 5. JIRA issues fixed (https://issues.jboss.org/): RHACS-65 - Release RHACS 3.67.0 6. References: https://access.redhat.com/security/cve/CVE-2018-20673 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-12762 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-16135 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2020-27304 https://access.redhat.com/security/cve/CVE-2021-3200 https://access.redhat.com/security/cve/CVE-2021-3445 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3749 https://access.redhat.com/security/cve/CVE-2021-3800 https://access.redhat.com/security/cve/CVE-2021-3801 https://access.redhat.com/security/cve/CVE-2021-20231 https://access.redhat.com/security/cve/CVE-2021-20232 https://access.redhat.com/security/cve/CVE-2021-20266 https://access.redhat.com/security/cve/CVE-2021-22876 https://access.redhat.com/security/cve/CVE-2021-22898 https://access.redhat.com/security/cve/CVE-2021-22925 https://access.redhat.com/security/cve/CVE-2021-23343 https://access.redhat.com/security/cve/CVE-2021-23840 https://access.redhat.com/security/cve/CVE-2021-23841 https://access.redhat.com/security/cve/CVE-2021-27645 https://access.redhat.com/security/cve/CVE-2021-28153 https://access.redhat.com/security/cve/CVE-2021-29923 https://access.redhat.com/security/cve/CVE-2021-32690 https://access.redhat.com/security/cve/CVE-2021-33560 https://access.redhat.com/security/cve/CVE-2021-33574 https://access.redhat.com/security/cve/CVE-2021-35942 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-39293 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYafeGdzjgjWX9erEAQgZ8Q/9H5ov4ZfKZszdJu0WvRMetEt6DMU2RTZr Kjv4h4FnmsMDYYDocnkFvsRjcpdGxtoUShAqD6+FrTNXjPtA/v1tsQTJzhg4o50w tKa9T4aHfrYXjGvWgQXJJEGmGaYMYePUOv77x6pLfMB+FmgfOtb8kzOdNzAtqX3e lq8b2DrQuPSRiWkUgFM2hmS7OtUsqTIShqWu67HJdOY74qDN4DGp7GnG6inCrUjV x4/4X5Fb7JrAYiy57C5eZwYW61HmrG7YHk9SZTRYgRW0rfgLncVsny4lX1871Ch2 e8ttu0EJFM1EJyuCJwJd1Q+rhua6S1VSY+etLUuaYme5DtvozLXQTLUK31qAq/hK qnLYQjaSieea9j1dV6YNHjnvV0XGczyZYwzmys/CNVUxwvSHr1AJGmQ3zDeOt7Qz vguWmPzyiob3RtHjfUlUpPYeI6HVug801YK6FAoB9F2BW2uHVgbtKOwG5pl5urJt G4taizPtH8uJj5hem5nHnSE1sVGTiStb4+oj2LQonRkgLQ2h7tsX8Z8yWM/3TwUT PTBX9AIHwt8aCx7XxTeEIs0H9B1T9jYfy06o9H2547un9sBoT0Sm7fqKuJKic8N/ pJ2kXBiVJ9B4G+JjWe8rh1oC1yz5Q5/5HZ19VYBjHhYEhX4s9s2YsF1L1uMoT3NN T0pPNmsPGZY= =ux5P -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Bugs fixed (https://bugzilla.redhat.com/): 1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option 1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1857 - OpenShift Alerting Rules Style-Guide Compliance LOG-1904 - [release-5.2] Fix the Display of ClusterLogging type in OLM LOG-1916 - [release-5.2] Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4881-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini March 30, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2020-8169 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890 Debian Bug : 965280 965281 968831 977161 977162 977163 Multiple vulnerabilities were discovered in cURL, an URL transfer library: CVE-2020-8169 Marek Szlagor reported that libcurl could be tricked into prepending a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s). CVE-2020-8177 sn reported that curl could be tricked by a malicious server into overwriting a local file when using th -J (--remote-header-name) and -i (--include) options in the same command line. CVE-2020-8231 Marc Aldorasi reported that libcurl might use the wrong connection when an application using libcurl's multi API sets the option CURLOPT_CONNECT_ONLY, which could lead to information leaks. CVE-2020-8284 Varnavas Papaioannou reported that a malicious server could use the PASV response to trick curl into connecting back to an arbitrary IP address and port, potentially making curl extract information about services that are otherwise private and not disclosed. CVE-2020-8285 xnynx reported that libcurl could run out of stack space when using tha FTP wildcard matching functionality (CURLOPT_CHUNK_BGN_FUNCTION). CVE-2020-8286 It was reported that libcurl didn't verify that an OCSP response actually matches the certificate it is intended to. CVE-2021-22890 Mingtao Yang reported that, when using an HTTPS proxy and TLS 1.3, libcurl could confuse session tickets arriving from the HTTPS proxy as if they arrived from the remote server instead. This could allow an HTTPS proxy to trick libcurl into using the wrong session ticket for the host and thereby circumvent the server TLS certificate check. For the stable distribution (buster), these problems have been fixed in version 7.64.0-4+deb10u2. We recommend that you upgrade your curl packages. For the detailed security status of curl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/curl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEBsId305pBx+F583DbwzL4CFiRygFAmBkQCoACgkQbwzL4CFi Ryg6Gg/+LqhhJ8+D7skevVkYzxHzdH2yT/XMeoYp0D37yHmEfH9PyjXwfplG+XEw /xwFRBK8qxD1ja+rQddYyeTvi1OMnMgMS3UsRHlfeMnLxh2+oHnvHDYG848npUEZ Rq4YFoc/n9YTAJZP/G4oiuBeXqH2Sqa5hSNT6VrYfRciCxkYnzA78b85KpI8aYyR lhfiJMNpwrqDbt/QzblpELBkGMIV402VeiqDwHfcVzm2E810xXQNLvPMbWtvDYkA TSrNsdqfuFr1tuQSZY6CGSWEyXtB/tOo8+pvUixlJMBWJMl5TXEcJkD5ckehx0yb C3n9yapfklxHiG9lD4zwwIJDqd3Y4SxdDiSlUC4OhdvpwniMygX0S3ICaPA4iac/ cWanml0Fop3OmRy+vQURTd3sADoT5HoRSUXZVU+HdTrRaEt2xs5okZkWSd3yr4Ux i+HgjUAFkkk8DLRB68Bbpx1LGxFGQT7L8yd4wsWINXlzASIP1A5dnNfE5w0VWOHG 3KDq47wNfjuiZC8GXW+HQCxz5MijnS8Y/Egl0OozNFDwEitNBZEsIjpZaZBdZIwi UFfcK7+u/y/TRY54rA4erkdcHFwpYW5EZVGdb7Z+WPWVlzw0ImXrM68LSAhHQaqW 1Hx4VwwwTsMIPnrx2kriRiiDPOW1r5Kip3yHa+QZLedSRGibQWk= =001T -----END PGP SIGNATURE-----

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

information disclosure

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Ubuntu

SOURCES

LAST UPDATE DATE

2024-11-07T20:05:35.111000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE