CVE-2021-22890
First published: Tue Mar 23 2021(Updated: )
curl 7.63.0 to and including 7.75.0 includes vulnerability that allows a malicious HTTPS proxy to MITM a connection due to bad handling of TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed. Note that such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24 | <0:1-18.el8 | 0:1-18.el8 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-105.el8 | 0:1.6.3-105.el8 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-82.el8 | 0:1.6.1-82.el8 |
| redhat/jbcs-httpd24-brotli | <0:1.0.6-40.el8 | 0:1.0.6-40.el8 |
| redhat/jbcs-httpd24-curl | <0:7.77.0-2.el8 | 0:7.77.0-2.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-74.el8 | 0:2.4.37-74.el8 |
| redhat/jbcs-httpd24-jansson | <0:2.11-55.el8 | 0:2.11-55.el8 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-37.el8 | 0:1.39.2-37.el8 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-6.el8 | 1:1.1.1g-6.el8 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-5.el8 | 0:1.0.0-5.el8 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-20.el8 | 0:0.4.10-20.el8 |
| redhat/jbcs-httpd24 | <0:1-18.jbcs.el7 | 0:1-18.jbcs.el7 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-105.jbcs.el7 | 0:1.6.3-105.jbcs.el7 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-82.jbcs.el7 | 0:1.6.1-82.jbcs.el7 |
| redhat/jbcs-httpd24-curl | <0:7.77.0-2.jbcs.el7 | 0:7.77.0-2.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-74.jbcs.el7 | 0:2.4.37-74.jbcs.el7 |
| redhat/jbcs-httpd24-jansson | <0:2.11-55.jbcs.el7 | 0:2.11-55.jbcs.el7 |
| debian/curl | 7.64.0-4+deb10u2 7.64.0-4+deb10u7 7.74.0-1.3+deb11u9 7.74.0-1.3+deb11u10 7.88.1-10+deb12u3 7.88.1-10+deb12u4 8.4.0-2 | |
| redhat/curl | <7.76.0 | 7.76.0 |
| libcurl | >=7.63.0<=7.75.0 | |
| Fedora | =32 | |
| Fedora | =33 | |
| Fedora | =34 | |
| netapp hci management node | ||
| netapp solidfire | ||
| netapp hci storage node | ||
| broadcom fabric operating system | ||
| Debian | =9.0 | |
| siemens sinec infrastructure network services | <1.0.1.1 | |
| Oracle Communications Billing and Revenue Management | =12.0.0.3.0 | |
| Oracle Hyperion Essbase | =21.2 | |
| Splunk Universal Forwarder | >=8.2.0<8.2.12 | |
| Splunk Universal Forwarder | >=9.0.0<9.0.6 | |
| Splunk Universal Forwarder | =9.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-22890 https://nvd.nist.gov/vuln/detail/CVE-2021-22890 https://curl.se/docs/CVE-2021-22890.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1941965
- https://access.redhat.com/errata/RHSA-2021:2472
- https://access.redhat.com/errata/RHSA-2021:2471
- https://access.redhat.com/security/cve/cve-2021-22890
- https://curl.se/docs/CVE-2021-22890.html
- https://github.com/curl/curl/commit/b09c8ee15771c614c4bf3ddac893cdb12187c844
- https://security-tracker.debian.org/tracker/CVE-2021-22890
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://hackerone.com/reports/1129529
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/
- https://security.gentoo.org/glsa/202105-36
- https://security.netapp.com/advisory/ntap-20210521-0007/
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://github.com/curl/curl/commit/549310e907e
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1945059
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2ZC5BMIOKLBQJSFCHEDN2G2C2SH274BP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVWPVGLFISU5BJC2BXBRYSDXTXE2YGC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQUIOYX2KUU6FIUZVB5WWZ6JHSSYSQWJ/
Frequently Asked Questions
What is CVE-2021-22890?
CVE-2021-22890 is a vulnerability in libcurl that allows a malicious HTTPS proxy to perform a Man-in-the-Middle attack on a connection.
Which versions of curl are affected by CVE-2021-22890?
curl versions 7.63.0 to 7.75.0 are affected by CVE-2021-22890.
How can a malicious HTTPS proxy exploit CVE-2021-22890?
A malicious HTTPS proxy can exploit CVE-2021-22890 by confusing session tickets and performing a Man-in-the-Middle attack on TLS 1.3 connections.
What is the severity of CVE-2021-22890?
CVE-2021-22890 has a severity value of 3.7, which is considered low.
Where can I find more information about CVE-2021-22890?
You can find more information about CVE-2021-22890 on the CVE website, NIST NVD, and the official curl documentation.
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/severity
- agent/description
- agent/event
- agent/references
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-22890
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/trending
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- package-manager/redhat
- package-manager/debian
- vendor/haxx
- canonical/libcurl
- version/libcurl/7.63.0
- version/libcurl/7.75.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/32
- version/fedora/33
- version/fedora/34
- vendor/netapp
- canonical/netapp hci management node
- canonical/netapp solidfire
- canonical/netapp hci storage node
- vendor/broadcom
- canonical/broadcom fabric operating system
- vendor/debian
- canonical/debian
- version/debian/9.0
- vendor/siemens
- canonical/siemens sinec infrastructure network services
- vendor/oracle
- canonical/oracle communications billing and revenue management
- version/oracle communications billing and revenue management/12.0.0.3.0
- canonical/oracle hyperion essbase
- version/oracle hyperion essbase/21.2
- vendor/splunk
- canonical/splunk universal forwarder
- version/splunk universal forwarder/8.2.0
- version/splunk universal forwarder/9.0.0
- version/splunk universal forwarder/9.1.0