Bug 1856953 (CVE-2020-15586) - CVE-2020-15586 golang: data race in certain net/http servers including ReverseProxy can lead to DoS
Summary: CVE-2020-15586 golang: data race in certain net/http servers including Revers...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-15586
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1856956 1856957 1859441 1859442 1865875 1866622 1866623 1866624 1866625 1866626 1866627 1866628 1866629 1866630 1866631 1866632 1866633 1866634 1866635 1866636 1866637 1866638 1866639 1866640 1866641 1866642 1866643 1866644 1866645 1866646 1866647 1866648 1866649 1866650 1866651 1866652 1866653 1866654 1866655 1866656 1866657 1866658 1866660 1866661 1866662 1866663 1866664 1866665 1866666 1866667 1866668 1866669 1866670 1866671 1866672 1866673 1866674 1866675 1866676 1866945 1866946 1866953 1867484 1867485 1867486 1867487 1867488 1867489 1867506 1867507 1867522 1867531 1867532 1867537 1867540 1867541 1867542 1867543 1867557 1867584 1867589 1870132 1881579 1883099 1883100 1883101 1883102 1883103 1883104 1883105 1883106 1883107 1883108 1883109 1883110 1883111 1883112 1883113 1883114 1883115 1883116 1883117 1883118 1883119 1883120 1883121 1883122 1883123 1883124 1883125 1883126 1883127 1883128 1883129 1883130 1932964 1932969 1933013 1933040 1933080 1941198 1941520 1941530 1941540 1941550 1941585
Blocks: 1856954
TreeView+ depends on / blocked
 
Reported: 2020-07-14 18:47 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-02-07 17:07 UTC (History)
66 users (show)

Fixed In Version: Go 1.14.5, Go 1.13.13, Go 1.15rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found Go's net/http package. Servers using ReverseProxy from net/http in the Go standard library are vulnerable to a data race that results in a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-09-08 13:19:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3665 0 None None None 2020-09-08 09:47:50 UTC
Red Hat Product Errata RHSA-2020:4201 0 None None None 2020-10-06 23:54:26 UTC
Red Hat Product Errata RHSA-2020:4214 0 None None None 2020-10-08 10:50:44 UTC
Red Hat Product Errata RHSA-2020:5118 0 None None None 2020-11-24 12:42:13 UTC
Red Hat Product Errata RHSA-2020:5119 0 None None None 2020-11-24 11:56:17 UTC
Red Hat Product Errata RHSA-2020:5605 0 None None None 2020-12-17 06:22:17 UTC
Red Hat Product Errata RHSA-2020:5606 0 None None None 2020-12-17 05:42:20 UTC
Red Hat Product Errata RHSA-2020:5649 0 None None None 2020-12-22 04:58:42 UTC
Red Hat Product Errata RHSA-2021:0072 0 None None None 2021-01-11 21:59:14 UTC
Red Hat Product Errata RHSA-2021:0713 0 None None None 2021-03-11 04:46:52 UTC
Red Hat Product Errata RHSA-2021:0799 0 None None None 2021-03-10 11:15:26 UTC
Red Hat Product Errata RHSA-2021:4103 0 None None None 2021-11-02 13:31:31 UTC

Description Guilherme de Almeida Suckevicz 2020-07-14 18:47:44 UTC 
Servers where the Handler concurrently reads the request body and writes a response can encounter a data race and crash. The httputil.ReverseProxy Handler is affected.

References:
https://github.com/golang/go/issues/34902
https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/golang-announce/XZNfaiwgt2w/E6gHDs32AQAJ
Comment 1 Guilherme de Almeida Suckevicz 2020-07-14 18:54:51 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1856956]
Affects: fedora-all [bug 1856957]
Comment 13 Sam Fowler 2020-08-06 06:18:12 UTC 
External References:

https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ
Comment 35 Sage McTaggart 2020-08-28 19:54:46 UTC 
Statement:

OpenShift Container Platform (OCP) components are primarily written in Go, meaning that any component using the net/http package includes the vulnerable code. OCP server endpoints using ReverseProxy are protected by authentication, reducing the severity of this vulnerability to Low for OCP.

Similar to OCP, OpenShift ServiceMesh (OSSM), RedHat OpenShift Jaeger (RHOSJ) and OpenShift Virtualization are also primarily written in Go and are protected via authentication, reducing the severity of this vulnerability to Low.

Red Hat Gluster Storage 3 and Red Hat Openshift Container Storage 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.

Red Hat Ceph Storage 3 and 4 components are built with the affected version of Go, however the vulnerable functionality is currently not used by these products and hence this issue has been rated as having a security impact of Low.
Comment 38 errata-xmlrpc 2020-09-08 09:47:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3665 https://access.redhat.com/errata/RHSA-2020:3665
Comment 39 Product Security DevOps Team 2020-09-08 13:19:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-15586
Comment 44 errata-xmlrpc 2020-10-06 23:54:21 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.4
  RHEL-7-CNV-2.4

Via RHSA-2020:4201 https://access.redhat.com/errata/RHSA-2020:4201
Comment 47 errata-xmlrpc 2020-10-08 10:50:38 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:4214 https://access.redhat.com/errata/RHSA-2020:4214
Comment 49 errata-xmlrpc 2020-11-24 11:56:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:5119 https://access.redhat.com/errata/RHSA-2020:5119
Comment 50 errata-xmlrpc 2020-11-24 12:42:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:5118 https://access.redhat.com/errata/RHSA-2020:5118
Comment 51 errata-xmlrpc 2020-12-17 05:42:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.6.0 on RHEL-8

Via RHSA-2020:5606 https://access.redhat.com/errata/RHSA-2020:5606
Comment 52 errata-xmlrpc 2020-12-17 06:22:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.6.0 on RHEL-8

Via RHSA-2020:5605 https://access.redhat.com/errata/RHSA-2020:5605
Comment 53 errata-xmlrpc 2020-12-22 04:58:40 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:5649 https://access.redhat.com/errata/RHSA-2020:5649
Comment 54 errata-xmlrpc 2021-01-11 21:59:51 UTC 
This issue has been addressed in the following products:

  OpenShift Serverless 1.9.0

Via RHSA-2021:0072 https://access.redhat.com/errata/RHSA-2021:0072
Comment 55 errata-xmlrpc 2021-03-10 11:15:20 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
Comment 56 errata-xmlrpc 2021-03-11 04:46:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:0713 https://access.redhat.com/errata/RHSA-2021:0713
Comment 57 errata-xmlrpc 2021-03-30 16:46:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0956 https://access.redhat.com/errata/RHSA-2021:0956
Comment 58 errata-xmlrpc 2021-04-13 23:32:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:1016 https://access.redhat.com/errata/RHSA-2021:1016
Comment 59 errata-xmlrpc 2021-05-04 19:32:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1366 https://access.redhat.com/errata/RHSA-2021:1366
Comment 60 errata-xmlrpc 2021-06-01 04:09:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:2122 https://access.redhat.com/errata/RHSA-2021:2122
Comment 62 errata-xmlrpc 2021-11-02 13:31:29 UTC 
This issue has been addressed in the following products:

  RHEL-7-CNV-4.9
  RHEL-8-CNV-4.9

Via RHSA-2021:4103 https://access.redhat.com/errata/RHSA-2021:4103
Note You need to log in before you can comment on or make changes to this bug.