Bug 2253330 (CVE-2023-39326)

Summary: CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abishop, adudiak, akostadi, alcohan, amasferr, amctagga, anjoseph, ansmith, anthomas, aoconnor, asatyam, bbuckingham, bcourt, bdettelb, bniver, bodavis, brking, cbartlet, chazlett, cmah, crizzo, davidn, dbenoit, debarshir, dfreiber, dhanak, diagrawa, dkenigsb, dmayorov, doconnor, dperaza, drow, dsimansk, dymurray, eaguilar, ebaron, eglynn, ehelms, emachado, epacific, fdeutsch, flucifre, ganandan, ggainey, gmeno, gparvin, haoli, hkataria, ibolton, jaharrin, jajackso, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jobarker, joelsmith, jolong, jpallich, jprabhak, jschluet, jsherril, juwatts, jwendell, kaycoth, kegrant, kholdawa, kingland, koliveir, kshier, kverlaen, lchilton, lcouzens, lgamliel, lhh, lmadsen, lphiri, lsvaty, lzap, mabashia, manissin, matzew, mbenjamin, mbocek, mburns, mcressma, mgarciac, mhackett, mhulan, mkudlej, mmagr, mmakovy, mnewsome, mnovotny, mrajanna, mrunge, mskarbek, mwringe, njean, nmoumoul, nobody, odf-bz-bot, omaciel, orabin, oramraz, osousa, owatkins, pahickey, pajung, pbraun, pcreech, peholase, pgaikwad, pgrist, pierdipi, pjindal, rcernich, rchan, rfreiman, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rojacob, sakbas, saroy, sausingh, sdawley, sfeifer, sfroberg, shbose, shvarugh, simaishi, sipoyare, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, teagle, tfister, thason, thavo, tjochec, tkral, trathi, twalsh, vereddy, vimartin, vkumar, whayutin, wtam, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: golang 1.20.12, golang 1.21.0-0, golang 1.21.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Golang net/http/internal package. This issue may allow a malicious user to send an HTTP request and cause the receiver to read more bytes from network than are in the body (up to 1GiB), causing the receiver to fail reading the response, possibly leading to a Denial of Service (DoS).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2253332, 2253333, 2253335, 2253336, 2253337, 2253338, 2253339, 2253340, 2253341, 2253342, 2253343, 2253344, 2253345, 2253346, 2253347, 2253348, 2255162, 2255163, 2255535, 2279583, 2280690    
Bug Blocks: 2253319    

Description Patrick Del Bello 2023-12-06 20:47:22 UTC 
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

https://go.dev/cl/547335
https://go.dev/issue/64433
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://pkg.go.dev/vuln/GO-2023-2382
Comment 1 Patrick Del Bello 2023-12-06 20:51:59 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2253332]
Affects: fedora-all [bug 2253333]
Comment 9 Debarshi Ray 2024-01-15 22:46:54 UTC 
We are missing the RHEL 9 tracking bug for toolbox, even though the bugs for RHEL 8 are there.
Comment 16 errata-xmlrpc 2024-01-25 18:10:38 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:0530 https://access.redhat.com/errata/RHSA-2024:0530
Comment 20 errata-xmlrpc 2024-02-07 18:45:49 UTC 
This issue has been addressed in the following products:

  RHOL-5.7-RHEL-8

Via RHSA-2024:0694 https://access.redhat.com/errata/RHSA-2024:0694
Comment 21 errata-xmlrpc 2024-02-07 22:50:27 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2024:0695 https://access.redhat.com/errata/RHSA-2024:0695
Comment 22 errata-xmlrpc 2024-02-08 17:27:42 UTC 
This issue has been addressed in the following products:

  RHOL-5.8-RHEL-9

Via RHSA-2024:0728 https://access.redhat.com/errata/RHSA-2024:0728
Comment 23 errata-xmlrpc 2024-02-08 18:20:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0748 https://access.redhat.com/errata/RHSA-2024:0748
Comment 24 errata-xmlrpc 2024-02-15 12:55:33 UTC 
This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843
Comment 25 errata-xmlrpc 2024-02-20 11:03:42 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880
Comment 26 errata-xmlrpc 2024-02-20 12:30:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0887 https://access.redhat.com/errata/RHSA-2024:0887
Comment 27 errata-xmlrpc 2024-02-27 20:49:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
Comment 28 errata-xmlrpc 2024-02-27 22:29:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201
Comment 29 errata-xmlrpc 2024-02-27 22:47:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7200 https://access.redhat.com/errata/RHSA-2023:7200
Comment 30 errata-xmlrpc 2024-02-28 00:20:13 UTC 
This issue has been addressed in the following products:

  RODOO-1.1-RHEL-9

Via RHSA-2024:0269 https://access.redhat.com/errata/RHSA-2024:0269
Comment 32 errata-xmlrpc 2024-02-29 09:03:57 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2024:1041 https://access.redhat.com/errata/RHSA-2024:1041
Comment 33 errata-xmlrpc 2024-03-05 00:34:19 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2024:1078 https://access.redhat.com/errata/RHSA-2024:1078
Comment 34 errata-xmlrpc 2024-03-05 18:11:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1131 https://access.redhat.com/errata/RHSA-2024:1131
Comment 35 errata-xmlrpc 2024-03-05 18:13:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1149 https://access.redhat.com/errata/RHSA-2024:1149
Comment 36 errata-xmlrpc 2024-03-06 14:40:04 UTC 
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-9

Via RHSA-2024:0281 https://access.redhat.com/errata/RHSA-2024:0281
Comment 37 errata-xmlrpc 2024-03-11 16:04:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1244 https://access.redhat.com/errata/RHSA-2024:1244
Comment 39 errata-xmlrpc 2024-03-20 07:40:24 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.1

Via RHSA-2024:1434 https://access.redhat.com/errata/RHSA-2024:1434
Comment 40 errata-xmlrpc 2024-04-02 19:30:09 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640
Comment 41 errata-xmlrpc 2024-04-15 05:44:43 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2024:1812 https://access.redhat.com/errata/RHSA-2024:1812
Comment 42 errata-xmlrpc 2024-04-16 17:26:12 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859
Comment 43 errata-xmlrpc 2024-04-18 07:18:39 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901
Comment 44 errata-xmlrpc 2024-04-25 15:14:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1896 https://access.redhat.com/errata/RHSA-2024:1896
Comment 45 errata-xmlrpc 2024-04-30 09:41:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2160 https://access.redhat.com/errata/RHSA-2024:2160
Comment 46 errata-xmlrpc 2024-04-30 09:46:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2193 https://access.redhat.com/errata/RHSA-2024:2193
Comment 47 errata-xmlrpc 2024-04-30 09:55:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2245 https://access.redhat.com/errata/RHSA-2024:2245
Comment 48 errata-xmlrpc 2024-04-30 09:58:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2272 https://access.redhat.com/errata/RHSA-2024:2272
Comment 51 errata-xmlrpc 2024-05-22 09:28:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988
Comment 52 errata-xmlrpc 2024-05-22 20:11:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2024:2767 https://access.redhat.com/errata/RHSA-2024:2767
Comment 53 errata-xmlrpc 2024-05-22 20:38:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2729 https://access.redhat.com/errata/RHSA-2024:2729
Comment 54 errata-xmlrpc 2024-05-22 20:41:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2730 https://access.redhat.com/errata/RHSA-2024:2730
Comment 55 errata-xmlrpc 2024-05-23 06:39:46 UTC 
This issue has been addressed in the following products:

  MTA-7.0-RHEL-9
  MTA-7.0-RHEL-8

Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316
Comment 56 errata-xmlrpc 2024-05-23 15:25:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:3352 https://access.redhat.com/errata/RHSA-2024:3352
Comment 58 errata-xmlrpc 2024-05-29 13:31:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2024:3467 https://access.redhat.com/errata/RHSA-2024:3467
Comment 59 errata-xmlrpc 2024-05-29 19:50:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2728 https://access.redhat.com/errata/RHSA-2024:2728
Comment 60 errata-xmlrpc 2024-05-29 21:40:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:3479 https://access.redhat.com/errata/RHSA-2024:3479
Comment 63 errata-xmlrpc 2024-06-17 00:43:53 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868