Bug 2107374 (CVE-2022-1705)

Summary: CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abishop, acui, adam.kaplan, adudiak, agarcial, agerstmayr, akashem, akostadi, akoutsou, alcohan, alexander.bulimov, amackenz, amasferr, amctagga, amurdaca, andrew.jeddeloh, anjoseph, anon.amish, anpicker, ansmith, aoconnor, aos-network-edge-staff, aos-odin-bot, aos-team-ota, aputtur, asm, athoscribeiro, aveerama, bbaude, bbennett, bcl, bcoca, bdettelb, bgilbert, bkundu, bmontgom, bniver, bodavis, bperkins, brking, bthurber, carl, carmelo.sarta.main, cbartlet, cdaley, chazlett, chousekn, cmarinea, cmeyers, container-sig, crizzo, dagray, davide, davidn, dbenoit, debarshir, denis, deparker, dfreiber, dhanak, dmayorov, doconnor, dornelas, dperaza, drow, dsimansk, dustymabe, dwalsh, dwd, dwest, dwhatley, dymurray, eduardo.ramalho, eglynn, emachado, eparis, ericedens, esm, extras-orphan, fdeutsch, filbranden, fjansen, flucifre, fpokorny, gblomqui, gchamoul, gmeno, gparvin, grafana-maint, haoli, hhorak, hkataria, ibolton, i, ijolliff, inoton, jacding, jaharrin, jajackso, jbrooks, jburrell, jcajka, jcammara, jcantril, jchaloup, jchui, jeder, jerzhang, jhadvig, jhardy, jhrozek, jitsingh, jjoyce, jligon, jlledo, jmatthew, jmencak, jmitchel, jmontleo, jneedle, jnovy, jobarker, joelsmith, jonathan, jorton, jpadman, jprabhak, jramanat, jschluet, jwboyer, jwendell, jwon, kegrant, kingland, koliveir, kshier, ktokunaga.mail, kverlaen, kwalker, lball, lbragsta, lchilton, lemenkov, lhh, link, lkiesow, lmadsen, lmeyer, lsm5, lsvaty, mabashia, manissin, marcandre.lureau, mark.e.fuller, matzew, maxwell, mbenjamin, mburns, mcressma, me, mfojtik, mgarciac, mgoodwin, mhackett, mheon, miabbott, michel, mkudlej, mmakovy, mnewsome, mnovotny, mrunge, mrussell, mskalicky, mwringe, nathans, njean, nobody, notting, nparekh, nstielau, ntait, n.yaghoobi.s, obudai, obulatov, ocp-storage-bot, ocs-bugs, o.lemasle, omaciel, openshift-release-oversight, opohorel, oramraz, osapryki, osbuilders, oskutka, owatkins, pahickey, pakotvan, patrick, paul, paul.wouters, pbraun, pegoncal, peholase, pehunt, periklis, pgaikwad, pgrist, philipp, pjindal, pknezevi, pkubat, ploffay, pthomas, quantum.analyst, rakesh.pandit, rcernich, redhat, relrod, rhaigner, rhcos-sst, rhcos-triage, rhos-maint, rhuss, rjohnson, rojacob, rominf, rpetrell, rphillips, sanchezl, saroy, sausingh, scorneli, sdoran, sejug, sfeifer, sgott, shvarugh, simaishi, sipoyare, skontopo, skunkerk, slaznick, slucidi, smcdonal, smullick, sostapov, spandura, spasquie, sponnaga, spower, spresti, sseago, ssteinbe, stcannon, stirabos, surbania, teagle, team-winc-bot, tfister, tgunders, thason, thavo, thrcka, tjochec, tkuratom, travier, tsedovic, tstellar, tsweeney, twalsh, uhhadd, umohnani, user-cont-team+packit-fas, vereddy, vimartin, vkumar, walters, wenshen, whayutin, wtam, xiyuan, xxia, yanqiyu01, yguenane, yselkowi, ytale, zdohnal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.18.4, golang 1.17.12 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 23:47:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2107375, 2109914, 2109915, 2109916, 2109917, 2110276, 2110278, 2111001, 2111496, 2111746, 2111747, 2111752, 2111753, 2111758, 2111759, 2111760, 2111765, 2111766, 2111767, 2111772, 2111773, 2111774, 2111775, 2111782, 2111783, 2111786, 2111796, 2111797, 2111798, 2111805, 2111806, 2111807, 2111808, 2111816, 2111821, 2111822, 2111823, 2111826, 2111827, 2111828, 2111829, 2111830, 2111831, 2111833, 2112009, 2112010, 2118642, 2118643, 2118644, 2118645, 2118646, 2118647, 2118648, 2118649, 2119857, 2119858, 2119859, 2119860, 2119861, 2120619, 2120620, 2123509, 2123510, 2123514, 2123748, 2123750, 2123754, 2134423, 2134424, 2168805    
Bug Blocks: 2108714    

Description Anten Skrabec 2022-07-14 20:34:07 UTC 
The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.
Comment 1 Anten Skrabec 2022-07-14 20:34:23 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107375]
Comment 6 Avinash Hanwate 2022-07-25 06:13:23 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110278]
Comment 27 errata-xmlrpc 2022-08-01 12:04:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775
Comment 28 errata-xmlrpc 2022-08-01 16:03:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799
Comment 29 errata-xmlrpc 2022-08-02 09:53:26 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866
Comment 30 errata-xmlrpc 2022-08-10 11:37:28 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 31 errata-xmlrpc 2022-08-10 13:16:13 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 39 errata-xmlrpc 2022-08-18 15:10:56 UTC 
This issue has been addressed in the following products:

  Application Interconnect 1 for RHEL 8

Via RHSA-2022:6113 https://access.redhat.com/errata/RHSA-2022:6113
Comment 43 errata-xmlrpc 2022-08-25 10:09:02 UTC 
This issue has been addressed in the following products:

  Node Healthcheck Operator 0.3 for RHEL 8

Via RHSA-2022:6187 https://access.redhat.com/errata/RHSA-2022:6187
Comment 44 errata-xmlrpc 2022-08-25 11:21:09 UTC 
This issue has been addressed in the following products:

  Node Maintenance Operator 4.11 for RHEL 8

Via RHSA-2022:6188 https://access.redhat.com/errata/RHSA-2022:6188
Comment 45 errata-xmlrpc 2022-09-01 05:41:12 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152
Comment 46 errata-xmlrpc 2022-09-06 12:58:40 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347
Comment 47 errata-xmlrpc 2022-09-06 13:02:53 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346
Comment 48 errata-xmlrpc 2022-09-06 13:32:31 UTC 
This issue has been addressed in the following products:

  Logging subsystem for Red Hat OpenShift 5.4

Via RHSA-2022:6183 https://access.redhat.com/errata/RHSA-2022:6183
Comment 49 errata-xmlrpc 2022-09-06 13:43:13 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348
Comment 50 errata-xmlrpc 2022-09-06 14:34:11 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345
Comment 51 errata-xmlrpc 2022-09-06 17:00:34 UTC 
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:6344 https://access.redhat.com/errata/RHSA-2022:6344
Comment 52 errata-xmlrpc 2022-09-06 22:29:45 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370
Comment 53 errata-xmlrpc 2022-09-13 02:10:16 UTC 
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:6430 https://access.redhat.com/errata/RHSA-2022:6430
Comment 58 errata-xmlrpc 2022-10-25 09:29:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129
Comment 62 errata-xmlrpc 2022-11-08 09:26:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519
Comment 63 errata-xmlrpc 2022-11-08 09:28:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529
Comment 64 errata-xmlrpc 2022-11-08 10:00:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7648 https://access.redhat.com/errata/RHSA-2022:7648
Comment 65 errata-xmlrpc 2022-11-15 10:06:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057
Comment 66 errata-xmlrpc 2022-11-15 10:15:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8098 https://access.redhat.com/errata/RHSA-2022:8098
Comment 67 errata-xmlrpc 2022-11-15 10:44:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8250 https://access.redhat.com/errata/RHSA-2022:8250
Comment 73 errata-xmlrpc 2022-11-28 20:43:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8626 https://access.redhat.com/errata/RHSA-2022:8626
Comment 76 errata-xmlrpc 2022-12-15 01:57:55 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047
Comment 97 errata-xmlrpc 2023-01-17 19:36:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399
Comment 98 errata-xmlrpc 2023-01-24 12:49:17 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 99 errata-xmlrpc 2023-01-24 13:35:02 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 111 errata-xmlrpc 2023-03-06 18:39:23 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 114 errata-xmlrpc 2023-03-15 19:55:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 115 errata-xmlrpc 2023-03-30 00:43:21 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529
Comment 119 errata-xmlrpc 2023-05-09 07:34:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357
Comment 120 Nick Tait 2023-05-09 18:55:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11.0

Via https://access.redhat.com/errata/RHSA-2022:5068
Comment 122 errata-xmlrpc 2023-05-16 08:08:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 123 errata-xmlrpc 2023-05-16 08:14:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802
Comment 125 Product Security DevOps Team 2023-05-16 23:47:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1705
Comment 126 errata-xmlrpc 2023-06-15 16:00:18 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 128 errata-xmlrpc 2023-06-19 10:33:02 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3664 https://access.redhat.com/errata/RHSA-2023:3664