Bug 2030801 (CVE-2021-44716)
| Summary: | CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abishop, admiller, agerstmayr, alitke, amctagga, amuller, amurdaca, anharris, anpicker, aos-install, asm, bbennett, bdettelb, bmontgom, bniver, bodavis, chazlett, cnv-qe-bugs, dbecker, dbenoit, dholler, dornelas, dwalsh, dwhatley, dymurray, eaguilar, ebaron, emachado, eparis, erooth, etamir, fdeutsch, fdupont, flucifre, gmeno, godas, grafana-maint, hchiramm, hvyas, ibolton, jaharrin, jakob, jarrpa, jburrell, jcajka, jeder, jjoyce, jkang, jkurik, jligon, jmatthew, jmontleo, jmulligan, jochrist, joelsmith, jokerman, jpadman, jpallich, jschluet, jwendell, jwon, krathod, lball, lemenkov, lhh, lhinds, lmadsen, lmeyer, lpeer, madam, maszulik, matzew, mbenjamin, mburns, mfojtik, mgarciac, mhackett, mnewsome, mrunge, mrussell, mwringe, nathans, nbecker, nobody, nstielau, ocs-bugs, phoracek, pjindal, ploffay, rcernich, rfreiman, rhcos-triage, rhos-maint, rhs-bugs, rhuss, rphillips, rrajasek, rtalur, sabose, sclewis, security-response-team, sfroberg, sgott, shaising, sipoyare, slinaber, slucidi, sostapov, spasquie, sponnaga, sseago, stirabos, sttts, tcullum, tjeyasin, tnielsen, tstellar, tsweeney, twalsh, vereddy, vkumar, xxia |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Go 1.17.5, Go 1.16.12 | Doc Type: | If docs needed, set a value |
| Doc Text: |
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-11 22:16:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2030803, 2013628, 2030802, 2030804, 2031244, 2031245, 2031246, 2031247, 2031248, 2031249, 2031250, 2031251, 2031252, 2031253, 2031587, 2031588, 2031589, 2031590, 2031591, 2031592, 2031593, 2031594, 2032330, 2032331, 2032332, 2032333, 2032334, 2032335, 2032336, 2032337, 2032338, 2032339, 2032340, 2032341, 2032342, 2032343, 2032344, 2032345, 2032346, 2032347, 2032348, 2032349, 2032350, 2032351, 2032352, 2032353, 2032354, 2032355, 2032356, 2032357, 2032367, 2032368, 2032369, 2032370, 2032371, 2032372, 2032373, 2032374, 2032375, 2032376, 2032377, 2032378, 2032379, 2032380, 2032381, 2032382, 2032383, 2032384, 2032385, 2032386, 2032387, 2032388, 2032389, 2032390, 2032391, 2032392, 2032393, 2032394, 2032395, 2032396, 2032397, 2032398, 2033296, 2033297, 2033298, 2033305, 2033306, 2033831, 2033832, 2033833, 2033834, 2033835, 2033836, 2034445, 2034446, 2034447, 2034448, 2034449, 2034450, 2043455, 2043456, 2043457, 2043458, 2043459, 2043460, 2043461, 2043470 | ||
| Bug Blocks: | 2030812 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-12-09 18:36:56 UTC
Created golang tracking bugs for this issue: Affects: epel-all [bug 2030802] Affects: fedora-all [bug 2030804] Affects: openstack-rdo [bug 2030803] upstream commits: HTTP2: https://go-review.googlesource.com/c/net/+/369794/ 1.16: https://go-review.googlesource.com/c/go/+/370575/ 1.17: https://go-review.googlesource.com/c/go/+/370574/ This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5160 https://access.redhat.com/errata/RHSA-2021:5160 This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2021:5176 https://access.redhat.com/errata/RHSA-2021:5176 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0002 https://access.redhat.com/errata/RHSA-2022:0002 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0001 https://access.redhat.com/errata/RHSA-2022:0001 This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2022:0163 https://access.redhat.com/errata/RHSA-2022:0163 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:0237 https://access.redhat.com/errata/RHSA-2022:0237 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:0260 https://access.redhat.com/errata/RHSA-2022:0260 This issue has been addressed in the following products: Service Telemetry Framework 1.4 for RHEL 8 Via RHSA-2022:0585 https://access.redhat.com/errata/RHSA-2022:0585 This issue has been addressed in the following products: Service Telemetry Framework 1.3 for RHEL 8 Via RHSA-2022:0587 https://access.redhat.com/errata/RHSA-2022:0587 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0055 https://access.redhat.com/errata/RHSA-2022:0055 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0056 https://access.redhat.com/errata/RHSA-2022:0056 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:0842 https://access.redhat.com/errata/RHSA-2022:0842 This issue has been addressed in the following products: OSE-OSC-1.2.0-RHEL-8 Via RHSA-2022:0855 https://access.redhat.com/errata/RHSA-2022:0855 This issue has been addressed in the following products: RHEL-8-CNV-4.10 Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0927 https://access.redhat.com/errata/RHSA-2022:0927 This issue has been addressed in the following products: Openshift Serveless 1.21 Via RHSA-2022:1051 https://access.redhat.com/errata/RHSA-2022:1051 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2022:1056 https://access.redhat.com/errata/RHSA-2022:1056 This issue has been addressed in the following products: RHODF-4.10-RHEL-8 Via RHSA-2022:1361 https://access.redhat.com/errata/RHSA-2022:1361 This issue has been addressed in the following products: RHODF-4.10-RHEL-8 Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372 This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2022:1628 https://access.redhat.com/errata/RHSA-2022:1628 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2022:1734 https://access.redhat.com/errata/RHSA-2022:1734 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-44716 This issue has been addressed in the following products: RHEL-8-CNV-4.11 Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526 This issue has been addressed in the following products: RHEL-8-CNV-4.12 RHEL-7-CNV-4.12 Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407 This issue has been addressed in the following products: RHEL-8-CNV-4.12 Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |