Bug 2281619

Summary: Fix vulnerability of HTTP/2 endpoint to read arbitrary amounts of header data
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Parth Arora <paarora>
Component: rookAssignee: Parth Arora <paarora>
Status: CLOSED ERRATA QA Contact: Parag Kamble <pakamble>
Severity: high Docs Contact:
Priority: unspecified    
Version: 4.15CC: asriram, ebenahar, kramdoss, odf-bz-bot, sheggodu, tnielsen
Target Milestone: ---   
Target Release: ODF 4.15.6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.17.0-65 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-09-05 04:54:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Parth Arora 2024-05-20 09:50:32 UTC 
Description of problem (please be detailed as possible and provide log
snippets):

Vulnerability Report: GO-2024-2687, https://pkg.go.dev/vuln/GO-2024-2687

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Version of all relevant components (if applicable):

4.15

Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


Can this issue reproducible?


Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1.
2.
3.


Actual results:


Expected results:


Additional info:
Comment 7 Sunil Kumar Acharya 2024-07-25 12:36:27 UTC 
Please backport the fix to ODF-4.15 and update the RDT flag/text appropriately.
Comment 25 errata-xmlrpc 2024-09-05 04:54:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenShift Data Foundation 4.15.6 Bug Fix Update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:6397