Bug 1250352 (CVE-2015-5739, CVE-2015-5740, CVE-2015-5741) - CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in net/http library
Summary: CVE-2015-5739 CVE-2015-5740 CVE-2015-5741 golang: HTTP request smuggling in n...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5739, CVE-2015-5740, CVE-2015-5741
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1250353 1250374 1327920 1327921 1337410
Blocks: 1250364 1323912
TreeView+ depends on / blocked
 
Reported: 2015-08-05 08:38 UTC by Adam Mariš
Modified: 2021-02-17 05:03 UTC (History)
25 users (show)

Fixed In Version: golang 1.4.3, golang 1.5
Doc Type: Bug Fix
Doc Text:
HTTP-request vulnerabilities have been found in the Golang net/http and net/textproto libraries. Request headers with double Content-Length fields do not generate a 400 error (the second field is ignored), and invalid fields are parsed as valid (for example, "Content Length:" with a space in the middle is accepted). A non-authenticated attacker could exploit these flaws to bypass security controls, perform web-cache poisoning, or alter the request/response map (denial of service).
Clone Of:
Environment:
Last Closed: 2016-12-05 16:02:43 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2015-08-05 08:38:44 UTC
There have been found potentially exploitable flaws in Golang net/http library affecting versions 1.4.2 and 1.5.

Problems:
* Double Content-length headers in a request does not generate a 400 error, the second Content-length is ignored.
* Invalid headers are parsed as valid headers (like "Content Length:" with a space in the middle)

Exploitations:
In a situation where the net/http agent HTTP communication with the final
http clients is using some reverse proxy (reverse proxy cache, SSL
terminators, etc), some requests can be made exploiting the net/http HTTP
protocol violations.

Attacker could possibly:
* bypass security controls on theses previous elements
* perform some cache poisoning on these elements
* alter the request/response map on these previous elements (for DOS)

CVE request:
http://seclists.org/oss-sec/2015/q3/237

Upstream patches:
https://github.com/golang/go/commit/117ddcb83d7f42d6aa72241240af99ded81118e9
https://github.com/golang/go/commit/300d9a21583e7cf0149a778a0611e76ff7c6680f
https://github.com/golang/go/commit/143822585e32449860e624cace9d2e521deee62e

Comment 1 Adam Mariš 2015-08-05 08:39:24 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 1250353]

Comment 2 Adam Mariš 2015-08-05 09:03:59 UTC
Created golang tracking bugs for this issue:

Affects: epel-6 [bug 1250374]

Comment 3 Vincent Batts 2015-08-05 21:10:18 UTC
is https://github.com/golang/go/commit/26049f6f9171d1190f3bbe05ec304845cfe6399f also to be included?

Comment 5 Martin Prpič 2015-08-06 09:28:54 UTC
(In reply to Vincent Batts from comment #3)
> is
> https://github.com/golang/go/commit/26049f6f9171d1190f3bbe05ec304845cfe6399f
> also to be included?

I requested one in http://seclists.org/oss-sec/2015/q3/299

Comment 6 Vincent Batts 2015-08-06 12:40:43 UTC
(In reply to Martin Prpic from comment #5)
> (In reply to Vincent Batts from comment #3)
> > is
> > https://github.com/golang/go/commit/26049f6f9171d1190f3bbe05ec304845cfe6399f
> > also to be included?
> 
> I requested one in http://seclists.org/oss-sec/2015/q3/299

Thanks. This commit does not apply directly for go1.4.2 presently. I'm investigating that.

Comment 7 Fedora Update System 2015-08-18 05:21:45 UTC
golang-1.4.2-3.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-08-18 05:23:01 UTC
golang-1.4.2-3.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2015-10-01 18:50:56 UTC
golang-1.5.1-0.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2015-10-01 18:56:32 UTC
golang-1.5.1-0.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-10-01 20:22:56 UTC
golang-1.5.1-0.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.