Bug 2309710 (CVE-2024-8421)

Summary: CVE-2024-8421 golang.org/x/net/http2: Multiple HTTP/2 enabled web servers (Rapid Reset Attack)
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerability-draftAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: aazores, adistefa, akostadi, amasferr, amctagga, anjoseph, anli, anpicker, ansmith, aoconnor, bbuckingham, bdettelb, bniver, brking, cbartlet, cdaley, chazlett, ckandaga, danken, dhanak, dholler, dmayorov, doconnor, dsimansk, dymurray, eaguilar, ebaron, eglynn, ehelms, fdeutsch, flucifre, ggainey, gkamathe, gmeno, gparvin, haoli, hasun, hkataria, ibolton, jaharrin, jburrell, jcammara, jcantril, jchui, jeder, jjoyce, jkang, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jowilson, jpallich, jprabhak, jschluet, juwatts, jwendell, kaycoth, kholdawa, kingland, kshier, ktsao, kverlaen, lbainbri, lchilton, lgamliel, lhh, lsvaty, mabashia, mark.s.lewis, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mjaros, mkudlej, mmakovy, mnovotny, mrajanna, muagarwa, mulliken, mwringe, nboldt, njean, nmoumoul, nobody, nyancey, odf-bz-bot, ometelka, oramraz, owatkins, pahickey, pbraun, pcreech, peholase, pgaikwad, pgrist, phoracek, pierdipi, pjindal, p.malishev, ptisnovs, pvasanth, rcernich, rchan, rfreiman, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rkeshri, rtaniwa, sakbas, sapillai, saroy, sdawley, sfeifer, sfroberg, simaishi, slucidi, smcdonal, smullick, snikolov, sostapov, sseago, stcannon, stirabos, subhro, syedriko, teagle, tfister, thavo, tjochec, tkral, tnielsen, tremes, tsweeney, twalsh, vereddy, whayutin, wtam, wzheng, xdharmai, yguenane, ypadia
Target Milestone: ---Keywords: Security
Target Release: ---Flags: snikolov: needinfo? (subhro)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
[REJECTED CVE] A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2309725, 2309952, 2309953, 2309954, 2309955, 2309956, 2309957, 2309958, 2310011, 2310053, 2310054, 2309722, 2309723, 2309726, 2309727, 2309959, 2309960, 2309961, 2309962, 2309963, 2309964, 2309965, 2309966, 2309967, 2309968, 2309969, 2309970, 2309971, 2309972, 2309973, 2309974, 2309975, 2309976, 2309977, 2309978, 2309979, 2309980, 2309981, 2309982, 2309983, 2309984, 2309985, 2309986, 2309987, 2309988, 2309989, 2309990, 2309991, 2309992, 2309993, 2309994, 2309995, 2309996, 2309997, 2309998, 2309999, 2310000, 2310001, 2310002, 2310003, 2310004, 2310005, 2310006, 2310007, 2310008, 2310009, 2310010, 2310012, 2310013, 2310014, 2310015, 2310016, 2310017, 2310018, 2310019, 2310020, 2310021, 2310022, 2310023, 2310024, 2310025, 2310026, 2310027, 2310028, 2310029, 2310030, 2310031, 2310032, 2310033, 2310034, 2310035, 2310036, 2310037, 2310038, 2310039, 2310040, 2310041, 2310042, 2310043, 2310044, 2310045, 2310046, 2310047, 2310048, 2310049, 2310050, 2310051, 2310052, 2310055, 2310056, 2310057, 2310059, 2310060, 2310061, 2310062, 2310064, 2310066, 2310068, 2310069, 2310070, 2310074, 2310075, 2310076, 2310077, 2310078, 2310079, 2310080, 2310102, 2310103, 2310104, 2310105, 2310106, 2310107, 2310108, 2310109, 2311657, 2311658    
Bug Blocks:    

Description OSIDB Bzimport 2024-09-04 14:00:49 UTC 
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
Comment 6 Lon Hohberger 2024-09-09 14:10:55 UTC 
https://pkg.go.dev/golang.org/x/net?tab=versions

Is it accurate to say that anything that has rebased golang x/net to >= 0.22.0 resolves this issue?
Comment 7 Mark S. Lewis 2024-09-13 09:12:05 UTC 
(In reply to Lon Hohberger from comment #6)
> https://pkg.go.dev/golang.org/x/net?tab=versions
> 
> Is it accurate to say that anything that has rebased golang x/net to >=
> 0.22.0 resolves this issue?

The history log for this bug states that it is a RedHat-specific CVE related to CVE-2023-39325, which was fixed in golang.org/x/net/http2 v0.17.0. See here:

https://pkg.go.dev/vuln/GO-2023-2102

The history log goes on to say, "Red Hat has come to the conclusion that this CVE is not needed", so it seems (to me) that it can be ignored, provided you are at at least these Go versions:

- go1.20.10 (net/http)
- go1.21.3 (net/http)
- golang.org/x/net/http2.0

Of course you also need golang.org/x/net/http2.0 or later to avoid CVE-2023-45288, and go1.22.5 or later to avoid CVE-2024-24791.
Comment 8 errata-xmlrpc 2024-09-18 11:56:35 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755