{ "threat_severity" : "Low", "public_date" : "2021-01-09T00:00:00Z", "bugzilla" : { "description" : "python-httplib2: Regular expression denial of service via malicious header", "id" : "1926885", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1926885" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "httplib2 is a comprehensive HTTP client library for Python. In httplib2 before version 0.19.0, a malicious server which responds with long series of \"\\xa0\" characters in the \"www-authenticate\" header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server. This is fixed in version 0.19.0 which contains a new implementation of auth headers parsing using the pyparsing library.", "An uncontrolled resource consumption flaw as found in python-httplib2, due to a flawed regular expression used while parsing the WWW-Authenticate header in an HTTP response. This flaw allows a malicious or compromised server to reply with a crafted sequence of characters in the WWW-Authenticate header, leading to a denial of service of the httplib2 client accessing the server. The highest threat from this vulnerability is to system availability." ], "statement" : "This flaw has been rated as having a security impact of Low, because it requires a malicious or compromised server in order to be exploited, and it only affects the HTTP client. In Red Hat OpenStack Platform 13, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP 13 python-httplib2 package.", "affected_release" : [ { "product_name" : "Red Hat OpenStack Platform 16.1", "release_date" : "2021-05-26T00:00:00Z", "advisory" : "RHSA-2021:2116", "cpe" : "cpe:/a:redhat:openstack:16.1::el8", "package" : "python-httplib2-0:0.13.1-2.el8ost" } ], "package_state" : [ { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "python-httplib2", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "fence-agents", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "python-httplib2", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "python-httplib2", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "python-httplib2", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "python-httplib2", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Fix deferred", "package_name" : "python-httplib2", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Red Hat Update Infrastructure 3 for Cloud Providers", "fix_state" : "Fix deferred", "package_name" : "python-httplib2", "cpe" : "cpe:/a:redhat:rhui:3", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-21240\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21240\nhttps://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m" ], "name" : "CVE-2021-21240", "mitigation" : { "value" : "Use strict mode to parse WWW-Authenticate headers. This can be done by setting `httplib2.USE_WWW_AUTH_STRICT_PARSING = True`. Please note, however, that strict mode might lead to bad results in case of ill-formed header values.", "lang" : "en:us" }, "csaw" : false }