Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: limit canonical header cache by bytes, not entries (CVE-2022-41717) #56350

Closed
neild opened this issue Oct 20, 2022 · 12 comments · Fixed by hashicorp/consul#15737 or kubernetes-sigs/vsphere-csi-driver#2179

Comments

@neild
Copy link
Contributor

neild commented Oct 20, 2022

This is a PRIVATE issue for CVE-2022-41717 tracked in http://b/253471637.

net/http: limit canonical header cache by bytes, not entries

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.

HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

This issue is also fixed in golang.org/x/net/http2 v0.4.0, for users manually configuring HTTP/2.

Thanks to Josselin Costanzi for reporting this issue.

@neild
Copy link
Contributor Author

neild commented Nov 30, 2022

@gopherbot please open backport issues

@gopherbot
Copy link
Contributor

Backport issue(s) opened: #57008 (for 1.18), #57009 (for 1.19).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@dmitshur dmitshur added this to the Go1.20 milestone Dec 6, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/455361 mentions this issue: [release-branch.go1.18] net/http: update bundled golang.org/x/net/http2

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/455363 mentions this issue: [release-branch.go1.19] net/http: update bundled golang.org/x/net/http2

gopherbot pushed a commit that referenced this issue Dec 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

For #56350
For #57008
Fixes CVE-2022-41717

Change-Id: I31ebd2b9ae190ef6f7646187103ea1c8a713ff2e
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663833
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/455361
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit that referenced this issue Dec 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

For #56350.
For #57009.
Fixes CVE-2022-41717.

Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/455363
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
@damz
Copy link

damz commented Dec 6, 2022

@neild @toothrot It seems like this has not made it yet to golang.org/x/net/http2.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/455635 mentions this issue: http2: limit canonical header cache by bytes, not entries

@toothrot
Copy link
Contributor

toothrot commented Dec 6, 2022

@damz correct, we always release Go first for private track issues.

gopherbot pushed a commit to golang/net that referenced this issue Dec 6, 2022
The canonical header cache is a per-connection cache mapping header
keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar").
We limit the number of entries in the cache to prevent an attacker
from consuming unbounded amounts of memory by sending many unique
keys, but a small number of very large keys can still consume an
unreasonable amount of memory.

Track the amount of memory consumed by the cache and limit it based
on memory rather than number of entries.

Thanks to Josselin Costanzi for reporting this issue.

For golang/go#56350

Change-Id: I41db4c9823ed5bf371a9881accddff1268489b16
Reviewed-on: https://go-review.googlesource.com/c/net/+/455635
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@thaJeztah
Copy link
Contributor

I see golang/net@1e63c2f was merged; will there be a tagged release with it?

@toothrot
Copy link
Contributor

toothrot commented Dec 6, 2022

@thaJeztah Tagging will happen automatically after the post-submit build completes.

@toothrot toothrot changed the title security: fix CVE-2022-41717 net/http: limit canonical header cache by bytes, not entries CVE-2022-41717 Dec 6, 2022
@toothrot toothrot changed the title net/http: limit canonical header cache by bytes, not entries CVE-2022-41717 net/http: limit canonical header cache by bytes, not entries (CVE-2022-41717) Dec 6, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/455717 mentions this issue: all: update vendored golang.org/x/net

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/455735 mentions this issue: [internal-branch.go1.18-vendor] http2: limit canonical header cache by bytes, not entries

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/455736 mentions this issue: [internal-branch.go1.19-vendor] http2: limit canonical header cache by bytes, not entries

andrew-d pushed a commit to tailscale/go that referenced this issue Dec 7, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

For golang#56350.
For golang#57009.
Fixes CVE-2022-41717.

Change-Id: I5c6ce546add81f361dcf0d5123fa4eaaf8f0a03b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1663835
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/455363
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Jenny Rakoczy <jenny@golang.org>
Reviewed-by: Michael Pratt <mpratt@google.com>
gopherbot pushed a commit to golang/net that referenced this issue Dec 9, 2022
…y bytes, not entries

The canonical header cache is a per-connection cache mapping header
keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar").
We limit the number of entries in the cache to prevent an attacker
from consuming unbounded amounts of memory by sending many unique
keys, but a small number of very large keys can still consume an
unreasonable amount of memory.

Track the amount of memory consumed by the cache and limit it based
on memory rather than number of entries.

Thanks to Josselin Costanzi for reporting this issue.

For golang/go#56350
For golang/go#57008
Fixes CVE-2022-41717

Change-Id: Ief3c141001524fd3776958ecc8556c724427f063
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662692
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/455735
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
gopherbot pushed a commit to golang/net that referenced this issue Dec 10, 2022
…y bytes, not entries

The canonical header cache is a per-connection cache mapping header
keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar").
We limit the number of entries in the cache to prevent an attacker
from consuming unbounded amounts of memory by sending many unique
keys, but a small number of very large keys can still consume an
unreasonable amount of memory.

Track the amount of memory consumed by the cache and limit it based
on memory rather than number of entries.

Thanks to Josselin Costanzi for reporting this issue.

For golang/go#56350
For golang/go#57009
Fixes CVE-2022-41717

Change-Id: Ief3c141001524fd3776958ecc8556c724427f063
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1619953
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1662693
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/455736
Reviewed-by: Jenny Rakoczy <jenny@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
anik120 added a commit to anik120/rukpak that referenced this issue Jan 23, 2023
The fix for golang/go#56350 has been included in
k8s/client-go v0.25.5 via the version bump of the required golang.org/x/net
dep to v0.3.1-0.20221206200815-1e63c2f08a10.

This PR bumps the version of k8s/client-go to the latest avaialble v0.25.6
as of 01/23/23.
anik120 added a commit to anik120/rukpak that referenced this issue Jan 24, 2023
The fix for golang/go#56350 has been [included in
the v0.4.0 release](golang/net@1e63c2f).

This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix.
awgreene pushed a commit to operator-framework/rukpak that referenced this issue Jan 24, 2023
The fix for golang/go#56350 has been [included in
the v0.4.0 release](golang/net@1e63c2f).

This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix.
awgreene pushed a commit to awgreene/operator-framework-rukpak that referenced this issue Jan 24, 2023
The fix for golang/go#56350 has been [included in
the v0.4.0 release](golang/net@1e63c2f).

This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix.
tmshort pushed a commit to tmshort/operator-framework-rukpak that referenced this issue Feb 28, 2023
The fix for golang/go#56350 has been [included in
the v0.4.0 release](golang/net@1e63c2f).

This PR bumps the version of golang/x/net to v0.4.0 to pick up the CVE fix.

(cherry picked from commit d946c58)
Signed-off-by: Todd Short <todd.short@me.com>
@golang golang locked and limited conversation to collaborators Dec 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
6 participants