Bug 2184483 (CVE-2023-24534)

Summary: CVE-2023-24534 golang: net/http, net/textproto: denial of service from excessive memory allocation
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abenaiss, abishop, adudiak, akostadi, alcohan, amackenz, amasferr, amctagga, anjoseph, ansmith, anthomas, aoconnor, asm, ataylor, bbaude, bbuckingham, bcl, bcourt, bdettelb, bniver, bodavis, brking, cbartlet, chazlett, chfoley, cmah, cmarinea, crizzo, cwelton, davidn, dbenoit, debarshir, desktop-qa-list, dfreiber, dhanak, dkenigsb, dmayorov, doconnor, dperaza, drow, dsimansk, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, emachado, epacific, fdeutsch, fjansen, flucifre, ggainey, gmeno, gparvin, grafana-maint, haoli, hkataria, ibolton, jaharrin, jajackso, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkurik, jligon, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jnovy, jobarker, jolong, jpallich, jprabhak, jross, jschluet, jscholz, jsherril, juwatts, jwendell, kegrant, kingland, koliveir, kshier, kverlaen, lball, lchilton, lhh, lmadsen, lsm5, lsvaty, lzap, mabashia, manissin, matzew, mbenjamin, mboddu, mburns, mgarciac, mhackett, mheon, mhulan, mkudlej, mmagr, mmakovy, mnovotny, mrunge, mwringe, myarboro, nathans, nbecker, nboldt, njean, nmoumoul, nobody, omaciel, opohorel, orabin, oramraz, osbuilders, osousa, owatkins, pahickey, pakotvan, pbraun, pcreech, peholase, pehunt, pgaikwad, pgrist, pjindal, pthomas, rcernich, rchan, rhaigner, rhcos-sst, rhos-maint, rhuss, rjohnson, rkieley, rogbas, rojacob, saroy, sausingh, scorneli, sdawley, sfeifer, sfroberg, sgott, shbose, shvarugh, simaishi, sipoyare, slucidi, smallamp, smcdonal, smullick, sostapov, spower, sseago, stcannon, stirabos, swoodman, teagle, tfister, thason, thavo, tjochec, tstellar, tsweeney, twalsh, umohnani, vereddy, vimartin, vkumar, whayutin, wtam, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.20.3, golang 1.19.8 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Golang Go, where it is vulnerable to a denial of service caused by memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker can cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2186209, 2186210, 2186211, 2187354, 2187355, 2187356, 2187357, 2187358, 2187359, 2187360, 2187361, 2187362, 2187363, 2187364, 2187365, 2187366, 2187367, 2187368, 2187372, 2187373, 2187374, 2187375, 2187376, 2187377, 2187378, 2187381, 2187382, 2187383, 2187384, 2187385, 2187386, 2187397, 2187398, 2187399, 2187400, 2187401, 2189057, 2189058, 2189059, 2189060, 2189061, 2189062, 2189063, 2189064, 2189065, 2189066, 2189067, 2189068, 2189069, 2189070, 2189071, 2189072, 2189073, 2189074, 2189075    
Bug Blocks: 2184485    

Description Pedro Sampaio 2023-04-04 20:24:47 UTC 
HTTP and MIME header parsing could allocate large amounts of memory, even when parsing small inputs.

References:

https://github.com/golang/go/issues/58975
https://github.com/golang/go/issues/59268
Comment 10 Avinash Hanwate 2023-04-24 05:27:18 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2189059]
Affects: fedora-all [bug 2189060]
Comment 17 errata-xmlrpc 2023-05-18 11:34:25 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167
Comment 19 errata-xmlrpc 2023-06-05 14:08:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
Comment 20 errata-xmlrpc 2023-06-05 16:44:27 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 21 errata-xmlrpc 2023-06-05 23:43:00 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 22 errata-xmlrpc 2023-06-07 01:50:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3367 https://access.redhat.com/errata/RHSA-2023:3367
Comment 23 errata-xmlrpc 2023-06-13 15:32:31 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3540 https://access.redhat.com/errata/RHSA-2023:3540
Comment 26 errata-xmlrpc 2023-06-15 09:48:11 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:3624 https://access.redhat.com/errata/RHSA-2023:3624
Comment 27 errata-xmlrpc 2023-06-23 04:39:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612
Comment 28 errata-xmlrpc 2023-06-29 00:59:08 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:3918 https://access.redhat.com/errata/RHSA-2023:3918
Comment 29 errata-xmlrpc 2023-06-29 14:32:33 UTC 
This issue has been addressed in the following products:

  RHACS-4.1-RHEL-8

Via RHSA-2023:3943 https://access.redhat.com/errata/RHSA-2023:3943
Comment 31 errata-xmlrpc 2023-07-10 08:51:29 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 34 errata-xmlrpc 2023-07-20 17:28:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13
  Ironic content for Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4093
Comment 36 errata-xmlrpc 2023-08-03 14:12:49 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
Comment 37 errata-xmlrpc 2023-08-08 00:36:24 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
Comment 38 errata-xmlrpc 2023-08-14 01:02:44 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 39 errata-xmlrpc 2023-08-16 14:09:32 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:4664 https://access.redhat.com/errata/RHSA-2023:4664
Comment 40 errata-xmlrpc 2023-08-23 00:17:57 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:4657 https://access.redhat.com/errata/RHSA-2023:4657
Comment 41 errata-xmlrpc 2023-09-06 07:56:18 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.9

Via RHSA-2023:4986 https://access.redhat.com/errata/RHSA-2023:4986
Comment 42 errata-xmlrpc 2023-10-20 14:57:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964
Comment 43 errata-xmlrpc 2023-10-20 17:18:35 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:5976 https://access.redhat.com/errata/RHSA-2023:5976
Comment 44 errata-xmlrpc 2023-11-07 08:13:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346
Comment 45 errata-xmlrpc 2023-11-07 08:13:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363
Comment 46 errata-xmlrpc 2023-11-07 08:15:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402
Comment 47 errata-xmlrpc 2023-11-07 08:16:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6420 https://access.redhat.com/errata/RHSA-2023:6420
Comment 48 errata-xmlrpc 2023-11-07 08:17:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473
Comment 49 errata-xmlrpc 2023-11-07 08:17:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474
Comment 50 errata-xmlrpc 2023-11-08 18:49:23 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2023:6832 https://access.redhat.com/errata/RHSA-2023:6832
Comment 51 errata-xmlrpc 2023-11-14 15:16:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938
Comment 52 errata-xmlrpc 2023-11-14 15:17:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Comment 60 errata-xmlrpc 2024-05-21 14:07:47 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944