CVE Vulnerabilities

CVE-2021-22890

Channel Accessible by Non-Endpoint

Published: Apr 01, 2021 | Modified: Nov 21, 2024
CVSS 3.x
3.7
LOW
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
4.3 MEDIUM
AV:N/AC:M/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
3.7 LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Ubuntu
MEDIUM

curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly short-cut the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

Weakness

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Affected Software

Name Vendor Start Version End Version
Libcurl Haxx 7.63.0 (including) 7.75.0 (including)
JBoss Core Services Apache HTTP Server 2.4.37 SP8 RedHat curl *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-0:1-18.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-apr-0:1.6.3-105.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-apr-util-0:1.6.1-82.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-brotli-0:1.0.6-40.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-curl-0:7.77.0-2.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-httpd-0:2.4.37-74.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-jansson-0:2.11-55.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-mod_http2-0:1.15.7-17.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-mod_md-1:2.0.8-36.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-mod_security-0:2.9.2-63.GA.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-nghttp2-0:1.39.2-37.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-1:1.1.1g-6.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-chil-0:1.0.0-5.el8jbcs *
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-pkcs11-0:0.4.10-20.el8jbcs *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-0:1-18.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-apr-0:1.6.3-105.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-apr-util-0:1.6.1-82.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-curl-0:7.77.0-2.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-httpd-0:2.4.37-74.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-jansson-0:2.11-55.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_cluster-native-0:1.3.16-5.Final_redhat_2.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_http2-0:1.15.7-17.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_jk-0:1.2.48-16.redhat_1.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_md-1:2.0.8-36.jbcs.el7 *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-mod_security-0:2.9.2-63.GA.jbcs.el7 *
Curl Ubuntu devel *
Curl Ubuntu focal *
Curl Ubuntu groovy *
Curl Ubuntu trusty *

Potential Mitigations

References