Bug 1856953 (CVE-2020-15586) - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
Summary: CVE-2020-15586 golang: data race in certain net/http servers including Revers...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-15586
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1859441 1859442 1866622 1866623 1866624 1866625 1866626 1866627 1866628 1866629 1866630 1866631 1866632 1866633 1866634 1866635 1866636 1866637 1866638 1866639 1866640 1866641 1866642 1866643 1866644 1866645 1866646 1866647 1866648 1866649 1866650 1866651 1866652 1866653 1866654 1866655 1866656 1866657 1866658 1866660 1866661 1866662 1866663 1866664 1866665 1866666 1866667 1866668 1866669 1866670 1866671 1866672 1866673 1866674 1866675 1866676 1866945 1866946 1867484 1867485 1867487 1867488 1867489 1867531 1867532 1867540 1867541 1867542 1867543 1867557 1883104 1856956 1856957 1865875 1866953 1867486 1867506 1867507 1867522 1867537 1867584 1867589 1870132 1881579 1883099 1883100 1883101 1883102 1883103 1883105 1883106 1883107 1883108 1883109 1883110 1883111 1883112 1883113 1883114 1883115 1883116 1883117 1883118 1883119 1883120 1883121 1883122 1883123 1883124 1883125 1883126 1883127 1883128 1883129 1883130
Blocks: 1856954
TreeView+ depends on / blocked
 
Reported: 2020-07-14 18:47 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-10-08 10:50 UTC (History)
67 users (show)

Fixed In Version: Go 1.14.5, Go 1.13.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-09-08 13:19:22 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3665 None None None 2020-09-08 09:47:50 UTC
Red Hat Product Errata RHSA-2020:4201 None None None 2020-10-06 23:54:26 UTC
Red Hat Product Errata RHSA-2020:4214 None None None 2020-10-08 10:50:44 UTC

Description Guilherme de Almeida Suckevicz 2020-07-14 18:47:44 UTC
Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.

References:
https://github.com/golang/go/issues/34902
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ

Comment 1 Guilherme de Almeida Suckevicz 2020-07-14 18:54:51 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1856956]
Affects: fedora-all [bug 1856957]

Comment 13 Sam Fowler 2020-08-06 06:18:12 UTC
External References:

https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ

Comment 35 amctagga 2020-08-28 19:54:46 UTC
Statement:

OpenShift Container Platform (OCP) components are primarily written in Go, meaning that any component using the net/http package includes the vulnerable code. OCP server endpoints using ReverseProxy are protected by authentication, reducing the severity of this vulnerability to Low for OCP.

Similar to OCP, OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization are also primarily written in Go and are protected via authentication, reducing the severity of this vulnerability to Low.

Red Hat Gluster Storage 3 and Red Hat Openshift Container Storage 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.

Red Hat Ceph Storage 3 and 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.

Comment 38 errata-xmlrpc 2020-09-08 09:47:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3665 https://access.redhat.com/errata/RHSA-2020:3665

Comment 39 Product Security DevOps Team 2020-09-08 13:19:22 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15586

Comment 44 errata-xmlrpc 2020-10-06 23:54:21 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-2.4
  RHEL-7-CNV-2.4

Via RHSA-2020:4201 https://access.redhat.com/errata/RHSA-2020:4201

Comment 47 errata-xmlrpc 2020-10-08 10:50:38 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:4214 https://access.redhat.com/errata/RHSA-2020:4214


Note You need to log in before you can comment on or make changes to this bug.