Community
Participate
Working Groups
I'm not the original reporter, we have been made aware of the report [1], and it does not have a CVE. As Eclipse is a CNA, I'm requesting the CVE here. [1] Original advisory: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2018-021_vertx.txt CVSS: 5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Upstream issue: https://github.com/eclipse/vert.x/issues/2470 Upstream Patch: https://github.com/eclipse/vert.x/commit/1bb6445226c39a95e7d07ce3caaf56828e8aab72 Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1591072
/cc the project lead Julien, if you agree that a CVE is required here, I'll need a short paragraph describing the issue, the versions affected, and a CWE [1]. Jens and I can help. Jens, by way of process, I prefer that we assign a CVE at the request of the project team. Let's leave the assigned CVE for now (we can return it to the pool if we decide not to escalate). [1] https://cwe.mitre.org/
we have been contacted by the authors and the report a and this was fixed in Vert.x 3.5.2 : https://github.com/eclipse/vert.x/issues/2470 An application would be vulnerable to this attack when the attacker is able to inject a value in the application by an unknown mean, here is an example: String headerValue = getSomeHeaderValue(); // the attack can come from here response.putHeader("foo", headerValue); I think the issue needs to be mitigated here, i.e a vertx http server is not vulnerable out of the box and this is actually something that Netty does not handle (and so that Vert.x now handles) and I believe many Netty based HTTP libraries suffer from the same. The compass-security advisory does sound much more alarming than it should. I am not saying there is nothing but I am saying we should take the appropriate reaction here and not over react. If you can tell me what are the triggers to have a CVE or not, I would be glad to give you an appropriate answer.
RHT has actually filed a CVE for this issue (CVE-2018-12537 mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1591072).
Sorry for the late response, I am actually on vacation ;-) I agree that it would be best if the project/project leads make that decision. This request came from Sam Fowler (IIRC) and my understanding was that Red Hat would file a CVE in any case. However it was deemed more appropriate that this assignment would come from the Eclipse CNA instead of Red Hat. Which makes sense to me. I also was under the impression that vertx (as a project) already had made the decision to assign a CVE. However I did not double check with Julien. So I think (outside of this issue) we should discuss how we handle the situation when an "outside" CNA would assign something which is part of Eclipse. Do we prefer to assign that as part of Eclipse?
(In reply to Julien Viet from comment #3) > RHT has actually filed a CVE for this issue (CVE-2018-12537 mentioned in > https://bugzilla.redhat.com/show_bug.cgi?id=1591072). That's ours. They're referencing a CVE that we haven't filed yet. To file, I need a single paragraph description, versions affected, and a CWE.
we will provide a description early next week for this CVE.
here are the info: - affected versions: 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.3.0.CR1, 3.3.0.CR2, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0.Beta1, 3.4.0, 3.4.1, 3.4.2, 3.5.0.Beta1, 3.5.0, 3.5.1 - The HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response. - https://cwe.mitre.org/data/definitions/93.html
(In reply to Julien Viet from comment #7) > 3.0.0, 3.1.0, 3.2.0, 3.2.1, 3.3.0.CR1, 3.3.0.CR2, 3.3.0, 3.3.1, 3.3.2, > 3.3.3, 3.4.0.Beta1, 3.4.0, 3.4.1, 3.4.2, 3.5.0.Beta1, 3.5.0, 3.5.1 Can we summarize that as a range? > - The HttpServer response headers and HttpClient request headers do not > filter carriage return and line feed characters from > the header value. This allow unfiltered values to inject a new header in the > client request or server response. > > - https://cwe.mitre.org/data/definitions/93.html
I guess from 3.0.0 to 3.5.1
I've created a pull request https://github.com/CVEProject/cvelist/pull/932
Can we mark this as FIXED?
I think so.