Coordinated Disclosure Timeline
- 2021-08-31: Sent report to adam.valenta@h2o.ai (@valenad1)
- 2021-10-18: Resent the report to support@h2o.ai. (They recently added a
SECURITY.md.) - 2021-10-18: Received automated response with ticket ID 100579.
- 2021-10-19: Reply from H2O Support: “We created a Bug Fix Request to our Engineering Team. We will update you once we have news from them.”
- 2021-10-22: Bug is fixed.
- 2021-10-25: Email from H2O Support: “Resolution will be part of next release 3.34.0.4, unfortunately we can not confirm release date yet.”
- 2022-01-04: Email from H2O Support: “Sorry for delay in response, There is already a 3.36 release available for download.”
Summary
H2O contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
H2O
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.
Vulnerability
The vulnerable regular expression is here.
To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:
- Run the code below with
python3:
import re
reg = re.compile('(?:.*,)*\s*Negotiate\s*([^,]*),?', re.I);
reg.match(",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Negotiaet,"); # `Negotiate` is misspelled on purpose, to make sure the regexp doesn't match.
Impact
This issue may lead to a denial of service.
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-119 in any communication regarding this issue.