Bug 2107374 (CVE-2022-1705) - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header
Summary: CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding he...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1705
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2120619 2107375 2109914 2109915 2109916 2109917 2110276 2110278 2111001 2111496 2111746 2111747 2111752 2111753 2111758 2111759 2111760 2111765 2111766 2111767 2111772 2111773 2111774 2111775 2111782 2111783 2111786 2111796 2111797 2111798 2111805 2111806 2111807 2111808 2111816 2111821 2111822 2111823 2111826 2111827 2111828 2111829 2111830 2111831 2111833 2112009 2112010 2118642 2118643 2118644 2118645 2118646 2118647 2118648 2118649 2119857 2119858 2119859 2119860 2119861 2120620 2123509 2123510 2123514 2123748 2123750 2123754 2134423 2134424 2168805
Blocks: 2108714
TreeView+ depends on / blocked
 
Reported: 2022-07-14 20:34 UTC by Anten Skrabec
Modified: 2023-10-09 11:34 UTC (History)
232 users (show)

Fixed In Version: golang 1.18.4, golang 1.17.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in golang. The HTTP/1 client accepted invalid Transfer-Encoding headers indicating "chunked" encoding. This issue could allow request smuggling, but only if combined with an intermediate server that also improperly accepts the header as invalid.
Clone Of:
Environment:
Last Closed: 2023-05-16 23:47:46 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5800 0 None None None 2022-08-01 15:59:34 UTC
Red Hat Product Errata RHBA-2022:6131 0 None None None 2022-08-22 19:36:12 UTC
Red Hat Product Errata RHSA-2022:5775 0 None None None 2022-08-01 12:04:10 UTC
Red Hat Product Errata RHSA-2022:5799 0 None None None 2022-08-01 16:04:07 UTC
Red Hat Product Errata RHSA-2022:5866 0 None None None 2022-08-02 09:53:37 UTC
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:16:24 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:37:39 UTC
Red Hat Product Errata RHSA-2022:6113 0 None None None 2022-08-18 15:11:08 UTC
Red Hat Product Errata RHSA-2022:6152 0 None None None 2022-09-01 05:41:20 UTC
Red Hat Product Errata RHSA-2022:6183 0 None None None 2022-09-06 13:32:39 UTC
Red Hat Product Errata RHSA-2022:6187 0 None None None 2022-08-25 10:09:12 UTC
Red Hat Product Errata RHSA-2022:6188 0 None None None 2022-08-25 11:21:20 UTC
Red Hat Product Errata RHSA-2022:6344 0 None None None 2022-09-06 17:00:45 UTC
Red Hat Product Errata RHSA-2022:6345 0 None None None 2022-09-06 14:34:24 UTC
Red Hat Product Errata RHSA-2022:6346 0 None None None 2022-09-06 13:03:06 UTC
Red Hat Product Errata RHSA-2022:6347 0 None None None 2022-09-06 12:58:51 UTC
Red Hat Product Errata RHSA-2022:6348 0 None None None 2022-09-06 13:43:22 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:29:54 UTC
Red Hat Product Errata RHSA-2022:6430 0 None None None 2022-09-13 02:10:25 UTC
Red Hat Product Errata RHSA-2022:7129 0 None None None 2022-10-25 09:29:58 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:37:01 UTC
Red Hat Product Errata RHSA-2022:7519 0 None None None 2022-11-08 09:26:24 UTC
Red Hat Product Errata RHSA-2022:7529 0 None None None 2022-11-08 09:28:54 UTC
Red Hat Product Errata RHSA-2022:7648 0 None None None 2022-11-08 10:00:27 UTC
Red Hat Product Errata RHSA-2022:8057 0 None None None 2022-11-15 10:07:04 UTC
Red Hat Product Errata RHSA-2022:8098 0 None None None 2022-11-15 10:15:39 UTC
Red Hat Product Errata RHSA-2022:8250 0 None None None 2022-11-15 10:44:10 UTC
Red Hat Product Errata RHSA-2022:8626 0 None None None 2022-11-28 20:43:47 UTC
Red Hat Product Errata RHSA-2022:9047 0 None None None 2022-12-15 01:58:07 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:49:29 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:35:11 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:39:33 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:55:30 UTC
Red Hat Product Errata RHSA-2023:1529 0 None None None 2023-03-30 00:43:30 UTC
Red Hat Product Errata RHSA-2023:2357 0 None None None 2023-05-09 07:34:37 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:08:54 UTC
Red Hat Product Errata RHSA-2023:2802 0 None None None 2023-05-16 08:14:48 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:00:29 UTC
Red Hat Product Errata RHSA-2023:3664 0 None None None 2023-06-19 10:33:11 UTC

Description Anten Skrabec 2022-07-14 20:34:07 UTC 
The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating a "chunked" encoding. This could potentially allow for request smuggling, but only if combined with an intermediate server that also improperly failed to reject the header as invalid.
Comment 1 Anten Skrabec 2022-07-14 20:34:23 UTC 
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107375]
Comment 6 Avinash Hanwate 2022-07-25 06:13:23 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110278]
Comment 27 errata-xmlrpc 2022-08-01 12:04:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775
Comment 28 errata-xmlrpc 2022-08-01 16:03:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799
Comment 29 errata-xmlrpc 2022-08-02 09:53:26 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866
Comment 30 errata-xmlrpc 2022-08-10 11:37:28 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042
Comment 31 errata-xmlrpc 2022-08-10 13:16:13 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040
Comment 39 errata-xmlrpc 2022-08-18 15:10:56 UTC 
This issue has been addressed in the following products:

  Application Interconnect 1 for RHEL 8

Via RHSA-2022:6113 https://access.redhat.com/errata/RHSA-2022:6113
Comment 43 errata-xmlrpc 2022-08-25 10:09:02 UTC 
This issue has been addressed in the following products:

  Node Healthcheck Operator 0.3 for RHEL 8

Via RHSA-2022:6187 https://access.redhat.com/errata/RHSA-2022:6187
Comment 44 errata-xmlrpc 2022-08-25 11:21:09 UTC 
This issue has been addressed in the following products:

  Node Maintenance Operator 4.11 for RHEL 8

Via RHSA-2022:6188 https://access.redhat.com/errata/RHSA-2022:6188
Comment 45 errata-xmlrpc 2022-09-01 05:41:12 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152
Comment 46 errata-xmlrpc 2022-09-06 12:58:40 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347
Comment 47 errata-xmlrpc 2022-09-06 13:02:53 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346
Comment 48 errata-xmlrpc 2022-09-06 13:32:31 UTC 
This issue has been addressed in the following products:

  Logging subsystem for Red Hat OpenShift 5.4

Via RHSA-2022:6183 https://access.redhat.com/errata/RHSA-2022:6183
Comment 49 errata-xmlrpc 2022-09-06 13:43:13 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348
Comment 50 errata-xmlrpc 2022-09-06 14:34:11 UTC 
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345
Comment 51 errata-xmlrpc 2022-09-06 17:00:34 UTC 
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:6344 https://access.redhat.com/errata/RHSA-2022:6344
Comment 52 errata-xmlrpc 2022-09-06 22:29:45 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370
Comment 53 errata-xmlrpc 2022-09-13 02:10:16 UTC 
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:6430 https://access.redhat.com/errata/RHSA-2022:6430
Comment 58 errata-xmlrpc 2022-10-25 09:29:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129
Comment 62 errata-xmlrpc 2022-11-08 09:26:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519
Comment 63 errata-xmlrpc 2022-11-08 09:28:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529
Comment 64 errata-xmlrpc 2022-11-08 10:00:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7648 https://access.redhat.com/errata/RHSA-2022:7648
Comment 65 errata-xmlrpc 2022-11-15 10:06:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057
Comment 66 errata-xmlrpc 2022-11-15 10:15:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8098 https://access.redhat.com/errata/RHSA-2022:8098
Comment 67 errata-xmlrpc 2022-11-15 10:44:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8250 https://access.redhat.com/errata/RHSA-2022:8250
Comment 73 errata-xmlrpc 2022-11-28 20:43:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8626 https://access.redhat.com/errata/RHSA-2022:8626
Comment 76 errata-xmlrpc 2022-12-15 01:57:55 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047
Comment 97 errata-xmlrpc 2023-01-17 19:36:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399
Comment 98 errata-xmlrpc 2023-01-24 12:49:17 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 99 errata-xmlrpc 2023-01-24 13:35:02 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 111 errata-xmlrpc 2023-03-06 18:39:23 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 114 errata-xmlrpc 2023-03-15 19:55:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 115 errata-xmlrpc 2023-03-30 00:43:21 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529
Comment 119 errata-xmlrpc 2023-05-09 07:34:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357
Comment 120 Nick Tait 2023-05-09 18:55:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11.0

Via https://access.redhat.com/errata/RHSA-2022:5068
Comment 122 errata-xmlrpc 2023-05-16 08:08:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 123 errata-xmlrpc 2023-05-16 08:14:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802
Comment 125 Product Security DevOps Team 2023-05-16 23:47:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1705
Comment 126 errata-xmlrpc 2023-06-15 16:00:18 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 128 errata-xmlrpc 2023-06-19 10:33:02 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3664 https://access.redhat.com/errata/RHSA-2023:3664
Note You need to log in before you can comment on or make changes to this bug.