Headline
RHSA-2023:1281: Red Hat Security Advisory: Red Hat OpenStack Platform (python-werkzeug) security update
An update for python-werkzeug is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-25577: A flaw was found in python-werkzeug. Werkzeug is multipart form data parser, that will parse an unlimited number of parts, including file parts. These parts can be a small amount of bytes, but each requires CPU time to parse, and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage, allowing an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests, and if many concurrent requests are sent continuously, this can exhaust or kill all available workers.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-03-15
Updated:
2023-03-15
RHSA-2023:1281 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: Red Hat OpenStack Platform (python-werkzeug) security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for python-werkzeug is now available for Red Hat OpenStack
Platform.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Description
Werkzeug started as simple collection of various
utilities for WSGI applications and has become one of the most advanced
WSGI utility modules. It includes a powerful debugger, full featured
request and response objects, HTTP utilities to handle entity tags, cache
control headers, HTTP dates, cookie handling, file uploads, a powerful URL
routing system and a bunch of community contributed addon modules. Werkzeug
is unicode aware and doesn’t enforce a specific template engine, database
adapter or anything else. It doesn’t even enforce a specific way of
handling requests and leaves all that up to the developer. It’s most useful
for end user applications which should work on as many server environments
as possible (such as blogs, wikis, bulletin boards, etc.).
Security Fix(es):
- high resource usage when parsing multipart form data with many fields
(CVE-2023-25577)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
Affected Products
- Red Hat OpenStack for IBM Power 16.2 ppc64le
- Red Hat OpenStack for IBM Power 16.1 ppc64le
- Red Hat OpenStack 16.2 x86_64
- Red Hat OpenStack 16.1 x86_64
- Red Hat OpenStack 13 - Extended Life Cycle Support 13 x86_64
Fixes
- BZ - 2170242 - CVE-2023-25577 python-werkzeug: high resource usage when parsing multipart form data with many fields
Red Hat OpenStack for IBM Power 16.2
SRPM
python-werkzeug-0.14.1-12.el8ost.src.rpm
SHA-256: bd42665016251f2fe890699a184428a71cf8b084131f54933dc0e1f8ace54752
ppc64le
python3-werkzeug-0.14.1-12.el8ost.noarch.rpm
SHA-256: 2482ae424776cfb18c5d3533afb01dbea29e3e93af5f5fc38ff558a95d998ac9
Red Hat OpenStack for IBM Power 16.1
SRPM
python-werkzeug-0.14.1-12.el8ost.src.rpm
SHA-256: bd42665016251f2fe890699a184428a71cf8b084131f54933dc0e1f8ace54752
ppc64le
python3-werkzeug-0.14.1-12.el8ost.noarch.rpm
SHA-256: 2482ae424776cfb18c5d3533afb01dbea29e3e93af5f5fc38ff558a95d998ac9
Red Hat OpenStack 16.2
SRPM
python-werkzeug-0.14.1-12.el8ost.src.rpm
SHA-256: bd42665016251f2fe890699a184428a71cf8b084131f54933dc0e1f8ace54752
x86_64
python3-werkzeug-0.14.1-12.el8ost.noarch.rpm
SHA-256: 2482ae424776cfb18c5d3533afb01dbea29e3e93af5f5fc38ff558a95d998ac9
Red Hat OpenStack 16.1
SRPM
python-werkzeug-0.14.1-12.el8ost.src.rpm
SHA-256: bd42665016251f2fe890699a184428a71cf8b084131f54933dc0e1f8ace54752
x86_64
python3-werkzeug-0.14.1-12.el8ost.noarch.rpm
SHA-256: 2482ae424776cfb18c5d3533afb01dbea29e3e93af5f5fc38ff558a95d998ac9
Red Hat OpenStack 13 - Extended Life Cycle Support 13
SRPM
python-werkzeug-0.14.1-3.1.el7ost.src.rpm
SHA-256: 80ba81144f808b932ba6a390101c66d14fe20b0d09401eb7f1e07611f0b8b9ca
x86_64
python2-werkzeug-0.14.1-3.1.el7ost.noarch.rpm
SHA-256: 061332e4a7b36a70ba1608ac156ee2955ca3644c71e61ca6674b856422169af1
python2-werkzeug-doc-0.14.1-3.1.el7ost.noarch.rpm
SHA-256: 739ea4266e72fcfae03331c054951db89bf9caa515cdc7fc78cbe78e43325356
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2023-7473-01 - Red Hat OpenShift Container Platform release 4.14.4 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5470-1 - Several vulnerabilities were discovered in python-werkzeug, a collection of utilities for WSGI applications.
Ubuntu Security Notice 5948-2 - USN-5948-1 fixed vulnerabilities in Werkzeug. This update provides the corresponding updates for Ubuntu 23.04. It was discovered that Werkzeug did not properly handle the parsing of nameless cookies. A remote attacker could possibly use this issue to shadow other cookies.
Red Hat Security Advisory 2023-1325-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, and information leakage vulnerabilities.
Red Hat Security Advisory 2023-1328-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-2990: An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has d...
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
Red Hat Security Advisory 2023-1327-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.0.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Red Hat Security Advisory 2023-1281-01 - An update for python-werkzeug is now available for Red Hat OpenStack Platform. Issues addressed include a remote shell upload vulnerability.
Ubuntu Security Notice 5948-1 - It was discovered that Werkzeug did not properly handle the parsing of nameless cookies. A remote attacker could possibly use this issue to shadow other cookies. It was discovered that Werkzeug could be made to process unlimited number of multipart form data parts. A remote attacker could possibly use this issue to cause Werkzeug to consume resources, leading to a denial of service.
Red Hat Security Advisory 2023-1018-01 - An update for python-werkzeug is now available for Red Hat OpenStack Platform 17.0 (Wallaby). Issues addressed include a remote shell upload vulnerability.
An update for python-werkzeug is now available for Red Hat OpenStack Platform 17.0 (Wallaby). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-25577: A flaw was found in python-werkzeug. Werkzeug is multipart form data parser, that will parse an unlimited number of parts, including file parts. These parts can be a small amount of bytes, but each requires CPU time to parse, and may use more memory as Python data. If a request can be made to an endpoint that accesses requ...
Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
Werkzeug is a comprehensive WSGI web application library. Prior to version 2.2.3, Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses `request.data`, `request.form`, `request.files`, or `request.get_data(parse_form_data=False)`, it can cause unexpectedly high resource usage. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers. Version 2.2.3 contains a patch for this issue.