Bug 1958341 (CVE-2021-31525)
| Summary: | CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abishop, admiller, ahajkova, ailan, alazar, alderr, alegrand, alitke, amctagga, amurdaca, anharris, anpicker, aos-bugs, asm, bbennett, bmontgom, bniver, bodavis, bthurber, cnv-qe-bugs, deparker, dornelas, dwalsh, dwhatley, dymurray, emachado, eparis, erooth, fdeutsch, flucifre, fweimer, gmeno, hchiramm, hvyas, ibolton, jakob, jakub, jburrell, jcajka, jcosta, jerzhang, jjoyce, jligon, jmatthew, jmontleo, jmulligan, jnovy, joelsmith, jokerman, jpadman, jschluet, jwendell, jwon, kakkoyun, kaycoth, kconner, krathod, kwiesmul, lball, lcosic, lemenkov, lgamliel, lhh, lhinds, lpeer, lsm5, madam, maszulik, matzew, mbenjamin, mburns, mfilanov, mfojtik, mhackett, miabbott, mnewsome, mpolacek, mrussell, mthoemme, nalin, nstielau, ohudlick, phoracek, pkrupa, pthomas, rcernich, renich, rhs-bugs, rhuss, rjones, rphillips, rrajasek, rtalur, rtheis, sbatsche, sclewis, sgott, shilpsha, sipoyare, slinaber, slucidi, sostapov, spasquie, sponnaga, sseago, stirabos, sttts, surbania, swshanka, tcrider, team-winc, tstellar, tsweeney, twalsh, umohnani, vbatts, vereddy, virt-maint, xxia |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | golang 1.17.0, golang 1.16.4, golang 1.15.12 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was detected in net/http of the Go standard library when parsing very large HTTP header values, causing a crash and subsequent denial of service. This vulnerability affects both clients and servers written in Go, however, servers are only vulnerable if the value of MaxHeaderBytes has been increased from the default.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-13 21:54:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1962146, 1962147, 1962148, 1962149, 1962150, 1958342, 1958343, 1959244, 1959245, 1959246, 1959247, 1959248, 1959249, 1959251, 1959252, 1959253, 1959259, 1959266, 1959347, 1959496, 1959497, 1959498, 1959499, 1959500, 1959502, 1959503, 1959504, 1959616, 1959617, 1961022, 1961023, 1961024, 1961255, 1961256, 1961257, 1961258, 1961259, 1961260, 1961261, 1961262, 1961263, 1961264, 1961266, 1961267, 1961268, 1961269, 1961270, 1961271, 1961272, 1961273, 1961274, 1961275, 1961276, 1961277, 1961278, 1961279, 1961280, 1961281, 1961282, 1961283, 1961284, 1961285, 1961286, 1961287, 1961297, 1962136, 1962137, 1962138, 1962141, 1962142, 1962151, 1962248, 1963092, 1963093, 1963094, 1963095, 1963096, 1963097, 1963098, 1970183, 1990703 | ||
| Bug Blocks: | 1958344 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-05-07 16:49:44 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 1958342] Affects: fedora-all [bug 1958343] Upstream patch: https://go-review.googlesource.com/c/net/+/313069/ In the Go standard library, the affected function is only called when parsing the "Connection" header: https://github.com/golang/go/search?q=headervaluescontainstoken In golang.org/x/net, the affected function is called when parsing either the "Connection" or "Upgrade" headers: https://github.com/golang/net/search?q=headervaluescontainstoken External References: https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc Results for checking changes to MaxHeaderBytes in OpenShift: https://gist.github.com/sfowl/d9f02030bcf92630f6c864924838cf09 No component uses an unsafe value, so we can say with high confidence that no OpenShift server side component is vulnerable to malicious clients. Upstream kubernetes issue: https://github.com/kubernetes/release/issues/2060 Statement: This vulnerability potentially affects any component written in Go that uses net/http from the standard library. In OpenShift Container Platform (OCP) and OpenShift distributed tracing (formerly OpenShift Jaeger), no server side component allows HTTP header values larger than 1 MB (the default), preventing this vulnerability from being exploited by malicious clients. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for all OpenShift Container Platform and OpenShift distributed tracing components. Created etcd tracking bugs for this issue: Affects: openstack-rdo [bug 1961024] This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2021:2704 https://access.redhat.com/errata/RHSA-2021:2704 This issue has been addressed in the following products: Openshift Serveless 1.16 Via RHSA-2021:2705 https://access.redhat.com/errata/RHSA-2021:2705 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31525 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2984 https://access.redhat.com/errata/RHSA-2021:2984 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2983 https://access.redhat.com/errata/RHSA-2021:2983 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3076 https://access.redhat.com/errata/RHSA-2021:3076 OpenShift engineering has decided to NOT ship 4.8.6 on 8/23 due to the following issue. https://bugzilla.redhat.com/show_bug.cgi?id=1995785 All the fixes part will be now included in 4.8.7 on 8/30. Hi folks, where do we find the status of these fixes for OpenShift versions 4.6 and 4.7? This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:3248 https://access.redhat.com/errata/RHSA-2021:3248 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2021:3487 https://access.redhat.com/errata/RHSA-2021:3487 This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:3733 https://access.redhat.com/errata/RHSA-2021:3733 This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2021:3748 https://access.redhat.com/errata/RHSA-2021:3748 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759 This issue has been addressed in the following products: RHEL-7-CNV-4.9 RHEL-8-CNV-4.9 Via RHSA-2021:4103 https://access.redhat.com/errata/RHSA-2021:4103 This issue has been addressed in the following products: RHEL-8-CNV-4.9 Via RHSA-2021:4104 https://access.redhat.com/errata/RHSA-2021:4104 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:5072 https://access.redhat.com/errata/RHSA-2021:5072 This issue has been addressed in the following products: RHEL-8-CNV-4.9 Via RHSA-2022:0191 https://access.redhat.com/errata/RHSA-2022:0191 This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Native Client for RHEL 7 for Red Hat Storage Via RHSA-2022:0308 https://access.redhat.com/errata/RHSA-2022:0308 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577 |