Bug 2162182 (CVE-2022-41721)

Summary: CVE-2022-41721 x/net/http2/h2c: request smuggling
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, gparvin, jburrell, jwendell, jwon, lball, matzew, nboldt, njean, osbuilders, owatkins, pahickey, rcernich, rhuss, rogbas, scorneli, stcannon, teagle, twalsh, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang.org/x/net 0.1.1-0.20221104162952-702349b0e862 Doc Type: ---
Doc Text:
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead read the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-18 04:44:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2162188, 2162184, 2162185, 2162186, 2162187, 2163124, 2163125, 2232267, 2232706, 2232707    
Bug Blocks: 2161236    

Description Anten Skrabec 2023-01-19 03:52:13 UTC 
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Comment 1 Anten Skrabec 2023-01-19 03:53:13 UTC 
Created caddy tracking bugs for this issue:

Affects: fedora-36 [bug 2162187]


Created golang-github-deepmap-oapi-codegen tracking bugs for this issue:

Affects: fedora-all [bug 2162185]


Created golang-x-net tracking bugs for this issue:

Affects: epel-8 [bug 2162188]
Affects: fedora-36 [bug 2162186]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2162184]
Comment 11 errata-xmlrpc 2023-05-17 22:31:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
Comment 12 Product Security DevOps Team 2023-05-18 04:44:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41721
Comment 13 errata-xmlrpc 2023-08-14 01:02:30 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 14 errata-xmlrpc 2023-10-03 18:50:01 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.3 for RHEL 8

Via RHSA-2023:5421 https://access.redhat.com/errata/RHSA-2023:5421
Comment 15 errata-xmlrpc 2023-10-04 13:07:46 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2023:5442 https://access.redhat.com/errata/RHSA-2023:5442