Bug 2178358 (CVE-2022-41723)
| Summary: | CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Anten Skrabec <askrabec> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abenaiss, abishop, adudiak, ahanwate, alitke, amackenz, amasferr, amctagga, ansmith, aoconnor, asm, ataylor, aveerama, bbaude, bbuckingham, bcl, bcourt, bdettelb, bniver, bodavis, chazlett, cmarinea, cwelton, davidn, dbenoit, debarshir, desktop-qa-list, dfreiber, dholler, dkenigsb, dperaza, dsimansk, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, emachado, epacific, fdeutsch, fjansen, flucifre, gmeno, gparvin, grafana-maint, hhorak, ibolton, jaharrin, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkoehler, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jorton, jpallich, jross, jshaughn, jsherril, jwendell, kshier, lball, lgamliel, lhh, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mgarciac, mhackett, mheon, mhulan, mkudlej, muagarwa, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmoumoul, nobody, opohorel, orabin, oramraz, osapryki, osbuilders, ovanders, owatkins, pahickey, pakotvan, pcreech, pehunt, periklis, phoracek, pjindal, pthomas, ptsiraki, rcernich, rchan, rfreiman, rgarg, rhcos-sst, rhos-maint, rhuss, rjohnson, rkieley, rogbas, saroy, scorneli, sfroberg, sgott, shbose, simaishi, sipoyare, skontopo, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, stirabos, teagle, tfister, tjochec, tnielsen, tstellar, tsweeney, twalsh, ubhargav, umohnani, vereddy, vkumar, whayutin, yguenane, zsadeh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | golang.org/x/net 0.7.0, golang 1.20.1, golang 1.19.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2178396, 2178397, 2178398, 2178399, 2178400, 2178401, 2178402, 2178404, 2178405, 2178406, 2178407, 2178489, 2189223, 2178395, 2178403, 2178408, 2178409, 2178410, 2178411, 2178412, 2178413, 2178414, 2178415, 2178416, 2178417, 2178418, 2178419, 2178420, 2178421, 2178422, 2178423, 2178424, 2178425, 2178426, 2178427, 2178428, 2178429, 2178430, 2178431, 2178432, 2178433, 2178434, 2178435, 2178436, 2178437, 2178438, 2178439, 2178440, 2178441, 2178442, 2178443, 2178444, 2178445, 2178446, 2178447, 2178448, 2178449, 2178450, 2178451, 2178452, 2178453, 2178454, 2178455, 2178456, 2178457, 2178459, 2178461, 2178462, 2178463, 2178464, 2178465, 2178467, 2178469, 2178471, 2178473, 2178474, 2178475, 2178476, 2178477, 2178478, 2178479, 2178480, 2178481, 2178482, 2178483, 2178484, 2178485, 2189138, 2189139, 2189140, 2189141, 2189142, 2189143, 2189144, 2189145, 2189146, 2189147, 2189148, 2189149, 2189150, 2189151, 2189152, 2189153, 2189154, 2189155, 2189156, 2189157, 2189158, 2189159, 2189160, 2189161, 2189162, 2189163, 2189164, 2189165, 2189166, 2189167, 2189168, 2189169, 2189170, 2189171, 2189172, 2189173, 2189174, 2189175, 2189176, 2189213, 2189214, 2189215, 2189216, 2189217, 2189218, 2189219, 2189220, 2189221, 2189222, 2189224, 2189225, 2189226, 2189227, 2203674, 2203675, 2203676, 2203677, 2203678, 2203679, 2203680, 2203681, 2203682, 2203683, 2203684, 2203685, 2203686, 2203687, 2203688, 2203689, 2203690, 2203691, 2203692, 2203693, 2203694, 2203695, 2203696, 2203697, 2203698, 2203699, 2203700, 2203701, 2203702, 2203703, 2203704, 2203705, 2203706, 2203707, 2203708, 2203710, 2207481, 2230177 | ||
| Bug Blocks: | 2169910 | ||
|
Description
Anten Skrabec
2023-03-14 23:37:56 UTC
Created apptainer tracking bugs for this issue: Affects: epel-all [bug 2178395] Created cri-o:1.21/cri-o tracking bugs for this issue: Affects: epel-all [bug 2178396] Created dnscrypt-proxy tracking bugs for this issue: Affects: epel-all [bug 2178397] Created dnscrypt-proxy2 tracking bugs for this issue: Affects: epel-all [bug 2178398] Created golang-github-prometheus tracking bugs for this issue: Affects: epel-all [bug 2178399] Created golang-github-prometheus-alertmanager tracking bugs for this issue: Affects: epel-all [bug 2178400] Created golang-github-prometheus-node-exporter tracking bugs for this issue: Affects: epel-all [bug 2178401] Created golang-googlecode-net tracking bugs for this issue: Affects: epel-all [bug 2178402] Created golang-x-net tracking bugs for this issue: Affects: epel-all [bug 2178403] Created kompose tracking bugs for this issue: Affects: epel-all [bug 2178404] Created rclone tracking bugs for this issue: Affects: epel-all [bug 2178405] Created reg tracking bugs for this issue: Affects: epel-all [bug 2178406] Created restic tracking bugs for this issue: Affects: epel-all [bug 2178407] Created singularity-ce tracking bugs for this issue: Affects: epel-all [bug 2178408] Created OliveTin tracking bugs for this issue: Affects: fedora-all [bug 2178409] Created apptainer tracking bugs for this issue: Affects: fedora-all [bug 2178410] Created buildah tracking bugs for this issue: Affects: fedora-all [bug 2178411] Created caddy tracking bugs for this issue: Affects: fedora-all [bug 2178412] Created cadvisor tracking bugs for this issue: Affects: fedora-all [bug 2178413] Created conmon tracking bugs for this issue: Affects: fedora-all [bug 2178414] Created containerd tracking bugs for this issue: Affects: fedora-all [bug 2178415] Created cri-o tracking bugs for this issue: Affects: fedora-all [bug 2178416] Created cri-o:1.20/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2178417] Created cri-o:1.20/cri-tools tracking bugs for this issue: Affects: fedora-all [bug 2178418] Created cri-o:1.21/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2178419] Created cri-o:1.21/cri-tools tracking bugs for this issue: Affects: fedora-all [bug 2178420] Created cri-o:1.22/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2178421] Created cri-o:1.22/cri-tools tracking bugs for this issue: Affects: fedora-all [bug 2178422] Created cri-o:1.23/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2178423] Created cri-o:1.23/cri-tools tracking bugs for this issue: Affects: fedora-all [bug 2178424] Created cri-o:1.24/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2178425] Created cri-o:1.24/cri-tools tracking bugs for this issue: Affects: fedora-all [bug 2178426] Created cri-o:1.25/cri-o tracking bugs for this issue: Affects: fedora-all [bug 2178427] Created cri-o:1.25/cri-tools tracking bugs for this issue: Affects: fedora-all [bug 2178428] Created cri-tools tracking bugs for this issue: Affects: fedora-all [bug 2178429] Created dnsx tracking bugs for this issue: Affects: fedora-all [bug 2178430] Created doctl tracking bugs for this issue: Affects: fedora-all [bug 2178431] Created etcd tracking bugs for this issue: Affects: fedora-all [bug 2178432] Created gh tracking bugs for this issue: Affects: fedora-all [bug 2178433] Created gmailctl tracking bugs for this issue: Affects: fedora-all [bug 2178434] Created golang-github-acme-lego tracking bugs for this issue: Affects: fedora-all [bug 2178435] Created golang-github-containerd-fuse-overlayfs-snapshotter tracking bugs for this issue: Affects: fedora-all [bug 2178436] Created golang-github-deepmap-oapi-codegen tracking bugs for this issue: Affects: fedora-all [bug 2178437] Created golang-github-googlecloudplatform-cloudsql-proxy tracking bugs for this issue: Affects: fedora-all [bug 2178438] Created golang-github-grpc-ecosystem-gateway tracking bugs for this issue: Affects: fedora-all [bug 2178439] Created golang-github-grpc-ecosystem-gateway-2 tracking bugs for this issue: Affects: fedora-all [bug 2178440] Created golang-github-in-toto tracking bugs for this issue: Affects: fedora-all [bug 2178441] Created golang-github-moby-buildkit tracking bugs for this issue: Affects: fedora-all [bug 2178442] Created golang-github-moby-swarmkit-2 tracking bugs for this issue: Affects: fedora-all [bug 2178443] Created golang-github-projectdiscovery-chaos-client tracking bugs for this issue: Affects: fedora-all [bug 2178444] Created golang-github-prometheus tracking bugs for this issue: Affects: fedora-all [bug 2178445] Created golang-github-prometheus-alertmanager tracking bugs for this issue: Affects: fedora-all [bug 2178446] Created golang-github-prometheus-node-exporter tracking bugs for this issue: Affects: fedora-all [bug 2178447] Created golang-github-skynetservices-skydns tracking bugs for this issue: Affects: fedora-all [bug 2178448] Created golang-github-theupdateframework-notary tracking bugs for this issue: Affects: fedora-all [bug 2178449] Created golang-gvisor tracking bugs for this issue: Affects: fedora-all [bug 2178450] Created golang-helm-3 tracking bugs for this issue: Affects: fedora-all [bug 2178451] Created golang-k8s-apiextensions-apiserver tracking bugs for this issue: Affects: fedora-all [bug 2178452] Created golang-k8s-kube-aggregator tracking bugs for this issue: Affects: fedora-all [bug 2178453] Created golang-k8s-pod-security-admission tracking bugs for this issue: Affects: fedora-all [bug 2178454] Created golang-k8s-sample-apiserver tracking bugs for this issue: Affects: fedora-all [bug 2178455] Created golang-k8s-sample-cli-plugin tracking bugs for this issue: Affects: fedora-all [bug 2178456] Created golang-k8s-sample-controller tracking bugs for this issue: Affects: fedora-all [bug 2178457] Created golang-sigs-k8s-application tracking bugs for this issue: Affects: fedora-all [bug 2178459] Created golang-sigs-k8s-aws-iam-authenticator tracking bugs for this issue: Affects: fedora-all [bug 2178461] Created golang-vitess tracking bugs for this issue: Affects: fedora-all [bug 2178462] Created golang-x-net tracking bugs for this issue: Affects: fedora-all [bug 2178463] Created golang-x-perf tracking bugs for this issue: Affects: fedora-all [bug 2178464] Created google-guest-agent tracking bugs for this issue: Affects: fedora-all [bug 2178465] Created grafana tracking bugs for this issue: Affects: fedora-all [bug 2178467] Created grafana-pcp tracking bugs for this issue: Affects: fedora-all [bug 2178469] Created grpcurl tracking bugs for this issue: Affects: fedora-all [bug 2178471] Created hugo tracking bugs for this issue: Affects: fedora-all [bug 2178473] Created ignition tracking bugs for this issue: Affects: fedora-all [bug 2178474] Created kompose tracking bugs for this issue: Affects: fedora-all [bug 2178475] Created origin tracking bugs for this issue: Affects: fedora-all [bug 2178476] Created osbuild-composer tracking bugs for this issue: Affects: fedora-all [bug 2178477] Created podman tracking bugs for this issue: Affects: fedora-all [bug 2178478] Created podman-tui tracking bugs for this issue: Affects: fedora-all [bug 2178479] Created rclone tracking bugs for this issue: Affects: fedora-all [bug 2178480] Created reg tracking bugs for this issue: Affects: fedora-all [bug 2178481] Created skopeo tracking bugs for this issue: Affects: fedora-all [bug 2178482] Created source-to-image tracking bugs for this issue: Affects: fedora-all [bug 2178483] Created stargz-snapshotter tracking bugs for this issue: Affects: fedora-all [bug 2178484] Created yggdrasil tracking bugs for this issue: Affects: fedora-all [bug 2178485] Created etcd tracking bugs for this issue: Affects: openstack-rdo [bug 2178489] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325 This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3305 https://access.redhat.com/errata/RHSA-2023:3305 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3304 https://access.redhat.com/errata/RHSA-2023:3304 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2023:3447 https://access.redhat.com/errata/RHSA-2023:3447 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450 This issue has been addressed in the following products: RHOSS-1.29-RHEL-8 Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3367 https://access.redhat.com/errata/RHSA-2023:3367 This issue has been addressed in the following products: RHOL-5.7-RHEL-8 Via RHSA-2023:3495 https://access.redhat.com/errata/RHSA-2023:3495 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3537 https://access.redhat.com/errata/RHSA-2023:3537 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2023:3610 https://access.redhat.com/errata/RHSA-2023:3610 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:3614 https://access.redhat.com/errata/RHSA-2023:3614 This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742 This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:3918 https://access.redhat.com/errata/RHSA-2023:3918 This issue has been addressed in the following products: RHACS-4.1-RHEL-8 Via RHSA-2023:3943 https://access.redhat.com/errata/RHSA-2023:3943 This issue has been addressed in the following products: Service Interconnect 1 for RHEL 8 Service Interconnect 1 for RHEL 9 Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003 This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.2 for RHEL 8 Via RHSA-2023:4112 https://access.redhat.com/errata/RHSA-2023:4112 This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.3 for RHEL 8 Via RHSA-2023:4113 https://access.redhat.com/errata/RHSA-2023:4113 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4090 https://access.redhat.com/errata/RHSA-2023:4090 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4091 https://access.redhat.com/errata/RHSA-2023:4091 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4225 https://access.redhat.com/errata/RHSA-2023:4225 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4226 https://access.redhat.com/errata/RHSA-2023:4226 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2023:4293 https://access.redhat.com/errata/RHSA-2023:4293 This issue has been addressed in the following products: CERT-MANAGER-1.10-RHEL-9 Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4456 https://access.redhat.com/errata/RHSA-2023:4456 This issue has been addressed in the following products: MTA-6.2-RHEL-9 MTA-6.2-RHEL-8 Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4603 https://access.redhat.com/errata/RHSA-2023:4603 This issue has been addressed in the following products: RHEL-9-CNV-4.13 Via RHSA-2023:4664 https://access.redhat.com/errata/RHSA-2023:4664 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4731 https://access.redhat.com/errata/RHSA-2023:4731 This issue has been addressed in the following products: RHEL-9-CNV-4.13 Via RHSA-2023:5233 https://access.redhat.com/errata/RHSA-2023:5233 This issue has been addressed in the following products: OADP-1.1-RHEL-8 Via RHSA-2023:5314 https://access.redhat.com/errata/RHSA-2023:5314 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:5672 https://access.redhat.com/errata/RHSA-2023:5672 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:5007 https://access.redhat.com/errata/RHSA-2023:5007 This issue has been addressed in the following products: RHEL-9-CNV-4.13 Via RHSA-2023:6235 https://access.redhat.com/errata/RHSA-2023:6235 This issue has been addressed in the following products: RHEL-8-CNV-4.12 Via RHSA-2023:6248 https://access.redhat.com/errata/RHSA-2023:6248 This issue has been addressed in the following products: RHEL-8-CNV-4.11 Via RHSA-2023:6251 https://access.redhat.com/errata/RHSA-2023:6251 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474 This issue has been addressed in the following products: RHODF-4.14-RHEL-9 Via RHSA-2023:6832 https://access.redhat.com/errata/RHSA-2023:6832 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7058 https://access.redhat.com/errata/RHSA-2023:7058 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:7823 https://access.redhat.com/errata/RHSA-2023:7823 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:0198 https://access.redhat.com/errata/RHSA-2024:0198 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:0485 https://access.redhat.com/errata/RHSA-2024:0485 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:0948 https://access.redhat.com/errata/RHSA-2024:0948 |