[Secure-testing-team] Bug#793770: Cookie parsing bug may lead to 'HttpOnly' cookie bypass (CVE-2015-2156)
Luca Bruno
lucab at debian.org
Mon Jul 27 09:51:53 UTC 2015
Source: netty-3.9
Version: 3.9.0.Final-1
Severity: important
Tags: security upstream patch
LinkedIn Security Team discovered a "Cookie" header parsing bug in Netty
that could lead to universal bypass of the HttpOnly flag on cookies.
If the HttpOnly flag is included in the HTTP Set-Cookie response header,
the cookie cannot usually be accessed through client-side script.
This bug can be however leveraged to leak the cookie's name-value in the DOM,
where a malicious script can access the content without any restriction.
CVE-2015-2156 has been assigned for this issue, which has been fixed upstream
in release 3.9.8.Final and 3.10.3.Final.
Please mention the CVE ID in the changelog when fixing this issue.
References:
* Security update
http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html
* Issue technical details / PoC
http://engineering.linkedin.com/security/look-netty%E2%80%99s-recent-security-update-cve%C2%AD-2015%C2%AD-2156
* Fixing commit
https://github.com/slandelle/netty/commit/800555417e77029dcf8a31d7de44f27b5a8f79b8
Cheers, Luca
More information about the Secure-testing-team
mailing list