Bug 2178488 (CVE-2022-41725)

Summary: CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abenaiss, abishop, adudiak, akostadi, alcohan, amackenz, amasferr, amctagga, anjoseph, ansmith, anthomas, aoconnor, asm, ataylor, aveerama, bbaude, bbuckingham, bcl, bcourt, bdettelb, bniver, bodavis, brking, cbartlet, chazlett, chfoley, cmah, crizzo, cwelton, davidn, dbenoit, debarshir, desktop-qa-list, dfreiber, dhanak, dkenigsb, dmayorov, doconnor, dperaza, drow, dshah, dsimansk, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, emachado, epacific, fdeutsch, flucifre, ggainey, gmeno, gparvin, grafana-maint, haoli, hkataria, ibolton, jaharrin, jajackso, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkoehler, jkurik, jligon, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jnovy, jobarker, jolong, jpallich, jprabhak, jross, jschluet, jscholz, jsherril, juwatts, jwendell, kegrant, kingland, koliveir, kshier, kverlaen, lball, lchilton, lhh, lmadsen, lphiri, lsm5, lsvaty, lzap, mabashia, manissin, matzew, mbenjamin, mboddu, mburns, mcressma, mgarciac, mhackett, mheon, mhulan, mkudlej, mmagr, mmakovy, mnewsome, mnovotny, mrunge, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmoumoul, nobody, ocs-bugs, omaciel, opohorel, orabin, oramraz, osapryki, osbuilders, osousa, ovanders, owatkins, pahickey, pbraun, pcreech, peholase, pehunt, periklis, pgaikwad, pgrist, pjindal, pthomas, rcernich, rchan, relrod, rgarg, rhaigner, rhcos-sst, rhos-maint, rhuss, rjohnson, rkieley, rogbas, rojacob, saroy, sausingh, scorneli, scox, sdawley, sfeifer, sfroberg, sgott, shbose, shvarugh, simaishi, sipoyare, skontopo, slucidi, smallamp, smcdonal, smullick, sostapov, spower, sseago, stcannon, stirabos, swoodman, teagle, tfister, thason, thavo, tjochec, tstellar, tsweeney, twalsh, ubhargav, umohnani, vereddy, vimartin, vkumar, whayutin, wtam, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.20.1, golang 1.19.6 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-06 04:56:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2178493, 2178494, 2179228, 2179229, 2179230, 2179231, 2179232, 2179233, 2179234, 2179237, 2179238, 2179239, 2179240, 2179241, 2179242, 2179243, 2179244, 2179245, 2179246, 2179925, 2179926, 2179927, 2179935, 2179936, 2179937, 2179938, 2179939, 2179943, 2179944, 2179945, 2179946, 2179947, 2179948, 2179949, 2179950, 2179951, 2179952, 2179953, 2179954, 2179955, 2179956, 2179957, 2179958, 2179959, 2179960, 2179961, 2179962, 2179963, 2179964, 2179965, 2179966, 2179967, 2179968, 2179969    
Bug Blocks: 2169910    

Description Avinash Hanwate 2023-03-15 04:55:12 UTC 
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.

https://go.dev/issue/58006
https://go.dev/cl/468124
https://pkg.go.dev/vuln/GO-2023-1569
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
Comment 1 Avinash Hanwate 2023-03-15 05:34:18 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2178493]
Affects: fedora-all [bug 2178494]
Comment 14 errata-xmlrpc 2023-04-05 01:15:04 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:1639 https://access.redhat.com/errata/RHSA-2023:1639
Comment 17 errata-xmlrpc 2023-04-18 01:01:37 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.2.0-RHEL-9

Via RHSA-2023:1817 https://access.redhat.com/errata/RHSA-2023:1817
Comment 20 errata-xmlrpc 2023-05-04 01:50:10 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:2107 https://access.redhat.com/errata/RHSA-2023:2107
Comment 24 errata-xmlrpc 2023-05-16 09:59:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3083 https://access.redhat.com/errata/RHSA-2023:3083
Comment 25 errata-xmlrpc 2023-05-17 22:31:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
Comment 26 errata-xmlrpc 2023-05-17 22:53:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325
Comment 27 errata-xmlrpc 2023-05-18 11:34:12 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167
Comment 28 errata-xmlrpc 2023-05-18 14:28:04 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
Comment 30 errata-xmlrpc 2023-06-05 14:08:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
Comment 31 errata-xmlrpc 2023-06-05 16:44:18 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 32 errata-xmlrpc 2023-06-05 23:42:45 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 33 Product Security DevOps Team 2023-06-06 04:56:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41725
Comment 34 errata-xmlrpc 2023-06-22 19:52:22 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Comment 35 errata-xmlrpc 2023-06-23 04:39:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612
Comment 36 errata-xmlrpc 2023-07-10 08:51:14 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 38 errata-xmlrpc 2023-08-03 14:12:35 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
Comment 39 errata-xmlrpc 2023-08-08 00:36:20 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
Comment 40 errata-xmlrpc 2023-08-14 01:02:35 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 42 errata-xmlrpc 2023-10-19 16:50:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5935 https://access.redhat.com/errata/RHSA-2023:5935
Comment 43 errata-xmlrpc 2023-10-20 14:57:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964
Comment 44 errata-xmlrpc 2023-11-07 08:13:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346
Comment 45 errata-xmlrpc 2023-11-07 08:13:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363
Comment 46 errata-xmlrpc 2023-11-07 08:15:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402
Comment 47 errata-xmlrpc 2023-11-07 08:16:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473
Comment 48 errata-xmlrpc 2023-11-07 08:17:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474
Comment 49 errata-xmlrpc 2023-11-08 14:03:33 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.14

Via RHSA-2023:6817 https://access.redhat.com/errata/RHSA-2023:6817
Comment 50 errata-xmlrpc 2023-11-14 15:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938
Comment 51 errata-xmlrpc 2023-11-14 15:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Comment 53 errata-xmlrpc 2023-12-06 14:36:33 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.14

Via RHSA-2023:7672 https://access.redhat.com/errata/RHSA-2023:7672
Comment 58 errata-xmlrpc 2024-05-21 14:07:14 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944