CVE-2021-21240 – This vulnerability in httplib2 allows a malicio... (How to Fix)

📋 TL;DR

This vulnerability in httplib2 allows a malicious server to cause denial of service by sending long sequences of non-breaking space characters in WWW-Authenticate headers, causing excessive CPU consumption during parsing. It affects Python applications using httplib2 versions before 0.19.0 to make HTTP requests to untrusted servers.

💻 Affected Systems

Products:

httplib2

Versions: All versions before 0.19.0

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Any Python application using httplib2 to make HTTP requests is vulnerable if it connects to untrusted servers.

📦 What is this software?

Httplib2 by Httplib2 Project

View all CVEs affecting Httplib2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete CPU exhaustion on client systems making requests to malicious servers, leading to service disruption and potential cascading failures in dependent applications.

🟠

Likely Case

Degraded performance or temporary unavailability of applications using vulnerable httplib2 versions when interacting with compromised or malicious servers.

🟢

If Mitigated

Minimal impact with proper network controls and updated libraries, though legacy systems remain vulnerable.

🌐 Internet-Facing: MEDIUM - Applications making outbound HTTP requests to external servers could be targeted, but requires specific malicious server configuration.

🏢 Internal Only: LOW - Internal servers are less likely to be malicious, though compromised internal systems could still exploit this.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires control over server responses, making it more suitable for targeted attacks rather than widespread exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.19.0 and later

Vendor Advisory: https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m

Restart Required: No

Instructions:

1. Update httplib2 using pip: pip install httplib2>=0.19.0
2. Update requirements.txt or setup.py to specify httplib2>=0.19.0
3. Test application functionality after update

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap httplib2 calls with response header validation to reject suspicious WWW-Authenticate headers

# Python code to wrap httplib2 requests
import httplib2
from httplib2 import Http

class SafeHttp(Http):
    def request(self, *args, **kwargs):
        response, content = super().request(*args, **kwargs)
        if 'www-authenticate' in response:
            auth_header = response['www-authenticate']
            if '\xa0' * 100 in auth_header:  # Arbitrary threshold
                raise ValueError('Suspicious authentication header')
        return response, content

🧯 If You Can't Patch

Implement network controls to restrict outbound HTTP connections to trusted servers only
Monitor CPU usage patterns for httplib2 processes and implement rate limiting on HTTP requests

🔍 How to Verify

Check if Vulnerable:

Check httplib2 version: python -c "import httplib2; print(httplib2.__version__)" and verify it's below 0.19.0

Check Version:

python -c "import httplib2; print('httplib2 version:', httplib2.__version__)"

Verify Fix Applied:

Verify httplib2 version is 0.19.0 or higher and test application functionality with various HTTP requests

📡 Detection & Monitoring

Log Indicators:

High CPU usage by Python processes making HTTP requests
Repeated authentication failures with unusual header patterns

Network Indicators:

HTTP responses with unusually long WWW-Authenticate headers
Requests to previously unknown or suspicious servers

SIEM Query:

process.name:python AND cpu.usage:>80 AND network.destination.port:80,443 AND NOT network.destination.ip IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2021-21240

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 8, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc Patch,Third Party Advisory
https://github.com/httplib2/httplib2/pull/182 Patch,Third Party Advisory
https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m Exploit,Mitigation,Third Party Advisory
https://pypi.org/project/httplib2 Product,Third Party Advisory
https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc Patch,Third Party Advisory
https://github.com/httplib2/httplib2/pull/182 Patch,Third Party Advisory
https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m Exploit,Mitigation,Third Party Advisory
https://pypi.org/project/httplib2 Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21240, you might also want to check these: