Coordinated Disclosure Timeline
- 2021-08-31: Sent report to adam.valenta@h2o.ai (@valenad1)
- 2021-10-18: Resent the report to support@h2o.ai. (They recently added a
SECURITY.md.) - 2021-10-18: Received automated response with ticket ID 100579.
- 2021-10-19: Reply from H2O Support: “We created a Bug Fix Request to our Engineering Team. We will update you once we have news from them.”
- 2021-10-22: Bug is fixed.
- 2021-10-25: Email from H2O Support: “Resolution will be part of next release 3.34.0.4, unfortunately we can not confirm release date yet.”
- 2022-01-04: Email from H2O Support: “Sorry for delay in response, There is already a 3.36 release available for download.”
Summary
H2O contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
H2O
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the results of the query on H2O by following this link.
Vulnerability
The vulnerable regular expression is here.
To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:
- Run the code below with
python3:
import re
reg = re.compile('(?:.*,)*\s*Negotiate\s*([^,]*),?', re.I);
reg.match(",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Negotiaet,"); # `Negotiate` is misspelled on purpose, to make sure the regexp doesn't match.
Impact
This issue may lead to a denial of service.
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-119 in any communication regarding this issue.