Bug 2295310 (CVE-2024-24791)

Summary: CVE-2024-24791 net/http: Denial of service due to improper 100-continue handling in net/http
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, adudiak, ahanwate, akostadi, alcohan, amasferr, amctagga, anjoseph, ansmith, anthomas, aoconnor, bbuckingham, bniver, brking, cbartlet, cdaley, chazlett, chfoley, cmah, danken, darunesh, debarshir, dfreiber, dhanak, dholler, dkenigsb, dmayorov, drow, dsimansk, dymurray, eaguilar, ebaron, eglynn, ehelms, epacific, fdeutsch, flucifre, ggainey, gkamathe, gmeno, gparvin, gsuckevi, haoli, hkataria, ibolton, jajackso, jburrell, jcammara, jcantril, jchui, jforrest, jhardy, jhe, jjoyce, jkang, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jobarker, jolong, jpallich, jprabhak, jschluet, jscholz, juwatts, kaycoth, kegrant, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lbainbri, lchilton, lcouzens, lgamliel, lhh, lphiri, lsvaty, mabashia, manissin, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mkudlej, mmagr, mmakovy, mnovotny, mrajanna, mrunge, mskarbek, mwringe, nboldt, njean, nmoumoul, nobody, nsoni, odf-bz-bot, omaciel, oramraz, osousa, owatkins, pahickey, pbraun, pcreech, peholase, pgaikwad, pgrist, phoracek, pierdipi, pjindal, psampaio, psrna, rchan, rfreiman, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rojacob, rtaniwa, sakbas, saroy, sausingh, sdawley, sfeifer, sfroberg, shvarugh, simaishi, sipoyare, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, swoodman, teagle, tfister, thason, thavo, tjochec, tkral, tsweeney, vereddy, vimartin, vkumar, whayutin, wtam, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---Flags: psampaio: needinfo? (darunesh)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2297326, 2350496, 2297318, 2297320, 2297321, 2297323, 2297324, 2297325, 2297327, 2297328, 2297329, 2297619, 2297620    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-02 22:00:22 UTC 
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
Comment 1 Pedro Sampaio 2024-07-11 14:10:26 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2297318]
Comment 12 Debarshi Ray 2024-08-09 15:15:34 UTC 
There is something wrong with this CVE tracker bug.

The CVE is in Go's standard net/http package, which is part of the golang RPM.  However, I don't see any mention of golang here.  I also don't see any mention of prominent RPMs that use Go and might need to rebuilt against a golang, where the CVE is fixed.  eg., podman and toolbox.  However, I do know about the existence of two toolbox Jira issues that were filed for this CVE:
https://issues.redhat.com/browse/RHEL-47194
https://issues.redhat.com/browse/RHEL-47199

So, it seems like something went wrong where this tracker bug doesn't depend on all the corresponding child issues and bugs.

This isn't just an academic problem, because I use this metadata to figure out the corresponding golang issues to know when the CVE would get fixed in golang, so that builds can be done against it.
Comment 13 Debarshi Ray 2024-08-09 15:35:41 UTC 
(In reply to Debarshi Ray from comment #12)
> There is something wrong with this CVE tracker bug.
> 
> The CVE is in Go's standard net/http package, which is part of the golang
> RPM.  However, I don't see any mention of golang here.  I also don't see any
> mention of prominent RPMs that use Go and might need to rebuilt against a
> golang, where the CVE is fixed.  eg., podman and toolbox.  However, I do
> know about the existence of two toolbox Jira issues that were filed for this
> CVE:
> https://issues.redhat.com/browse/RHEL-47194
> https://issues.redhat.com/browse/RHEL-47199

I did some digging, and the corresponding golang bugs are:
https://issues.redhat.com/browse/RHEL-47200
https://issues.redhat.com/browse/RHEL-47161
Comment 14 errata-xmlrpc 2024-08-19 06:09:43 UTC 
This issue has been addressed in the following products:

  Cryostat 3 on RHEL 8

Via RHSA-2024:5537 https://access.redhat.com/errata/RHSA-2024:5537
Comment 17 errata-xmlrpc 2024-09-09 00:49:14 UTC 
This issue has been addressed in the following products:

  Cost Management for RHEL 8

Via RHSA-2024:6462 https://access.redhat.com/errata/RHSA-2024:6462
Comment 19 errata-xmlrpc 2024-09-23 01:37:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6914 https://access.redhat.com/errata/RHSA-2024:6914
Comment 20 errata-xmlrpc 2024-09-23 01:47:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6908 https://access.redhat.com/errata/RHSA-2024:6908
Comment 21 errata-xmlrpc 2024-09-23 01:48:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6913 https://access.redhat.com/errata/RHSA-2024:6913
Comment 22 errata-xmlrpc 2024-09-23 01:52:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6912 https://access.redhat.com/errata/RHSA-2024:6912
Comment 23 errata-xmlrpc 2024-09-24 03:21:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6969 https://access.redhat.com/errata/RHSA-2024:6969
Comment 24 errata-xmlrpc 2024-09-25 00:44:32 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:7074 https://access.redhat.com/errata/RHSA-2024:7074
Comment 25 errata-xmlrpc 2024-09-30 00:50:40 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2024:7348 https://access.redhat.com/errata/RHSA-2024:7348
Comment 26 errata-xmlrpc 2024-09-30 01:21:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7349 https://access.redhat.com/errata/RHSA-2024:7349
Comment 30 errata-xmlrpc 2024-10-16 02:39:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:7922 https://access.redhat.com/errata/RHSA-2024:7922
Comment 31 errata-xmlrpc 2024-10-23 00:30:33 UTC 
This issue has been addressed in the following products:

  KDO-5.1-RHEL-9

Via RHSA-2024:6341 https://access.redhat.com/errata/RHSA-2024:6341
Comment 32 errata-xmlrpc 2024-10-24 10:44:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:8260 https://access.redhat.com/errata/RHSA-2024:8260
Comment 33 errata-xmlrpc 2024-10-31 03:37:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:8425 https://access.redhat.com/errata/RHSA-2024:8425
Comment 34 Pedro Sampaio 2024-10-31 15:17:52 UTC 
Redirecting needinfo from comment#12.
Comment 35 errata-xmlrpc 2024-11-06 14:30:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:8688 https://access.redhat.com/errata/RHSA-2024:8688
Comment 36 errata-xmlrpc 2024-11-07 03:09:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:8692 https://access.redhat.com/errata/RHSA-2024:8692
Comment 37 errata-xmlrpc 2024-11-08 01:46:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:8697 https://access.redhat.com/errata/RHSA-2024:8697
Comment 38 errata-xmlrpc 2024-11-12 08:41:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9089 https://access.redhat.com/errata/RHSA-2024:9089
Comment 39 errata-xmlrpc 2024-11-12 08:45:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9097 https://access.redhat.com/errata/RHSA-2024:9097
Comment 40 errata-xmlrpc 2024-11-12 08:45:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9098 https://access.redhat.com/errata/RHSA-2024:9098
Comment 41 errata-xmlrpc 2024-11-12 08:46:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9102 https://access.redhat.com/errata/RHSA-2024:9102
Comment 42 errata-xmlrpc 2024-11-12 08:48:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9115 https://access.redhat.com/errata/RHSA-2024:9115
Comment 43 errata-xmlrpc 2024-11-12 08:55:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9135 https://access.redhat.com/errata/RHSA-2024:9135
Comment 44 errata-xmlrpc 2024-11-18 00:47:10 UTC 
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-9

Via RHSA-2024:8219 https://access.redhat.com/errata/RHSA-2024:8219
Comment 45 errata-xmlrpc 2024-11-19 01:54:41 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:9960 https://access.redhat.com/errata/RHSA-2024:9960
Comment 46 errata-xmlrpc 2024-11-21 01:08:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2024:10133 https://access.redhat.com/errata/RHSA-2024:10133
Comment 47 errata-xmlrpc 2024-11-26 16:04:16 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2024:10389 https://access.redhat.com/errata/RHSA-2024:10389
Comment 48 errata-xmlrpc 2024-12-03 15:04:32 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2024:10758 https://access.redhat.com/errata/RHSA-2024:10758
Comment 49 errata-xmlrpc 2024-12-10 01:38:22 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.8

Via RHSA-2024:10906 https://access.redhat.com/errata/RHSA-2024:10906
Comment 51 errata-xmlrpc 2025-01-08 11:31:25 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:0082 https://access.redhat.com/errata/RHSA-2025:0082
Comment 52 errata-xmlrpc 2025-03-05 20:59:09 UTC 
This issue has been addressed in the following products:

  Streams for Apache Kafka 2.9.0

Via RHSA-2025:2416 https://access.redhat.com/errata/RHSA-2025:2416
Comment 60 errata-xmlrpc 2025-04-17 04:08:24 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.16

Via RHSA-2025:3973 https://access.redhat.com/errata/RHSA-2025:3973
Comment 63 errata-xmlrpc 2025-05-13 10:29:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7256 https://access.redhat.com/errata/RHSA-2025:7256