Bug 2124669 (CVE-2022-27664) - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
Summary: CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-27664
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2127944 2125779 2126630 2126631 2126633 2126634 2126635 2126636 2126637 2126638 2126639 2126641 2126642 2126643 2126644 2126645 2126646 2126733 2126734 2126735 2126739 2126740 2126741 2126742 2126743 2126744 2126745 2126746 2126747 2126748 2126749 2126750 2126751 2126752 2126753 2126754 2126755 2126756 2126757 2126758 2126759 2126760 2126761 2126762 2126763 2126764 2126765 2126766 2126767 2126768 2126769 2126770 2126771 2126772 2126773 2127945 2134425 2134426 2168805
Blocks: 2124673
TreeView+ depends on / blocked
 
Reported: 2022-09-06 18:05 UTC by TEJ RATHI
Modified: 2024-05-21 14:06 UTC (History)
129 users (show)

Fixed In Version: golang 1.19.1, golang 1.18.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
Clone Of:
Environment:
Last Closed: 2023-05-18 19:41:19 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7129 0 None None None 2022-10-25 09:31:02 UTC
Red Hat Product Errata RHSA-2022:7398 0 None None None 2023-01-17 14:51:34 UTC
Red Hat Product Errata RHSA-2022:8535 0 None None None 2022-11-24 04:14:15 UTC
Red Hat Product Errata RHSA-2022:8626 0 None None None 2022-11-28 20:44:00 UTC
Red Hat Product Errata RHSA-2022:8634 0 None None None 2022-11-28 02:52:05 UTC
Red Hat Product Errata RHSA-2022:8781 0 None None None 2022-12-08 07:37:45 UTC
Red Hat Product Errata RHSA-2023:0264 0 None None None 2023-01-19 11:04:27 UTC
Red Hat Product Errata RHSA-2023:0542 0 None None None 2023-01-30 17:20:54 UTC
Red Hat Product Errata RHSA-2023:0584 0 None None None 2023-05-18 14:27:48 UTC
Red Hat Product Errata RHSA-2023:0631 0 None None None 2023-02-07 17:24:17 UTC
Red Hat Product Errata RHSA-2023:0693 0 None None None 2023-02-09 02:17:54 UTC
Red Hat Product Errata RHSA-2023:0708 0 None None None 2023-02-09 09:26:12 UTC
Red Hat Product Errata RHSA-2023:0709 0 None None None 2023-02-09 12:05:29 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:40:48 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:56:02 UTC
Red Hat Product Errata RHSA-2023:1529 0 None None None 2023-03-30 00:43:53 UTC
Red Hat Product Errata RHSA-2023:2167 0 None None None 2023-05-09 07:13:43 UTC
Red Hat Product Errata RHSA-2023:2177 0 None None None 2023-05-09 07:14:01 UTC
Red Hat Product Errata RHSA-2023:2193 0 None None None 2023-05-09 07:15:59 UTC
Red Hat Product Errata RHSA-2023:2204 0 None None None 2023-05-09 07:17:38 UTC
Red Hat Product Errata RHSA-2023:2236 0 None None None 2023-05-09 07:20:41 UTC
Red Hat Product Errata RHSA-2023:2357 0 None None None 2023-05-09 07:35:20 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:09:45 UTC
Red Hat Product Errata RHSA-2023:2780 0 None None None 2023-05-16 08:11:45 UTC
Red Hat Product Errata RHSA-2023:2784 0 None None None 2023-05-16 08:12:09 UTC
Red Hat Product Errata RHSA-2023:2785 0 None None None 2023-05-16 08:12:29 UTC
Red Hat Product Errata RHSA-2023:2802 0 None None None 2023-05-16 08:14:31 UTC
Red Hat Product Errata RHSA-2023:3204 0 None None None 2023-05-18 00:36:28 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:55:19 UTC
Red Hat Product Errata RHSA-2023:3613 0 None None None 2023-06-26 01:16:00 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:00:58 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:51:55 UTC
Red Hat Product Errata RHSA-2023:4674 0 None None None 2023-08-23 16:42:46 UTC
Red Hat Product Errata RHSA-2023:4734 0 None None None 2023-08-30 19:56:29 UTC
Red Hat Product Errata RHSA-2023:5009 0 None None None 2023-10-31 14:02:09 UTC
Red Hat Product Errata RHSA-2024:0121 0 None None None 2024-01-10 11:27:51 UTC
Red Hat Product Errata RHSA-2024:2944 0 None None None 2024-05-21 14:06:53 UTC

Description TEJ RATHI 2022-09-06 18:05:27 UTC
A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

References:
https://go.dev/issue/54658
https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ

Upstream Commits:
Master: https://github.com/golang/go/commit/29af494fca8a25d7d46276f6d4835c4dcd09e47d
Branch.go1.18 : https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479
Branch.go1.19 : https://github.com/golang/go/commit/9cfe4e258b1c9d4a04a42539c21c7bdb2e227824

Comment 2 Avinash Hanwate 2022-09-14 07:51:39 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2126630]
Affects: fedora-all [bug 2126631]

Comment 9 errata-xmlrpc 2022-10-25 09:30:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129

Comment 16 errata-xmlrpc 2022-11-24 04:14:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8535 https://access.redhat.com/errata/RHSA-2022:8535

Comment 17 errata-xmlrpc 2022-11-28 02:51:58 UTC
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2022:8634 https://access.redhat.com/errata/RHSA-2022:8634

Comment 19 errata-xmlrpc 2022-11-28 20:43:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8626 https://access.redhat.com/errata/RHSA-2022:8626

Comment 20 errata-xmlrpc 2022-12-08 07:37:38 UTC
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781

Comment 39 errata-xmlrpc 2023-01-17 14:51:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398

Comment 40 errata-xmlrpc 2023-01-19 11:04:21 UTC
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264

Comment 41 errata-xmlrpc 2023-01-30 17:20:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542

Comment 49 errata-xmlrpc 2023-02-07 17:24:12 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:0631 https://access.redhat.com/errata/RHSA-2023:0631

Comment 51 errata-xmlrpc 2023-02-09 02:17:46 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693

Comment 52 errata-xmlrpc 2023-02-09 09:26:05 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:0708 https://access.redhat.com/errata/RHSA-2023:0708

Comment 53 errata-xmlrpc 2023-02-09 12:05:22 UTC
This issue has been addressed in the following products:

  RHOSS-1.27-RHEL-8

Via RHSA-2023:0709 https://access.redhat.com/errata/RHSA-2023:0709

Comment 58 errata-xmlrpc 2023-03-06 18:40:41 UTC
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042

Comment 61 errata-xmlrpc 2023-03-15 19:55:55 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275

Comment 62 errata-xmlrpc 2023-03-30 00:43:46 UTC
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529

Comment 66 errata-xmlrpc 2023-05-09 07:13:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2167 https://access.redhat.com/errata/RHSA-2023:2167

Comment 67 errata-xmlrpc 2023-05-09 07:13:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2177 https://access.redhat.com/errata/RHSA-2023:2177

Comment 68 errata-xmlrpc 2023-05-09 07:15:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2193 https://access.redhat.com/errata/RHSA-2023:2193

Comment 69 errata-xmlrpc 2023-05-09 07:17:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2204 https://access.redhat.com/errata/RHSA-2023:2204

Comment 70 errata-xmlrpc 2023-05-09 07:20:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2236 https://access.redhat.com/errata/RHSA-2023:2236

Comment 71 errata-xmlrpc 2023-05-09 07:35:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357

Comment 74 errata-xmlrpc 2023-05-16 08:09:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758

Comment 75 errata-xmlrpc 2023-05-16 08:11:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2780 https://access.redhat.com/errata/RHSA-2023:2780

Comment 76 errata-xmlrpc 2023-05-16 08:12:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2784 https://access.redhat.com/errata/RHSA-2023:2784

Comment 77 errata-xmlrpc 2023-05-16 08:12:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2785 https://access.redhat.com/errata/RHSA-2023:2785

Comment 78 errata-xmlrpc 2023-05-16 08:14:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802

Comment 80 errata-xmlrpc 2023-05-18 00:36:23 UTC
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13
  RHEL-7-CNV-4.13
  RHEL-8-CNV-4.13

Via RHSA-2023:3204 https://access.redhat.com/errata/RHSA-2023:3204

Comment 81 errata-xmlrpc 2023-05-18 02:55:12 UTC
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205

Comment 82 errata-xmlrpc 2023-05-18 14:27:40 UTC
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584

Comment 83 Product Security DevOps Team 2023-05-18 19:41:12 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-27664

Comment 84 errata-xmlrpc 2023-06-15 16:00:49 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642

Comment 85 errata-xmlrpc 2023-06-22 19:51:46 UTC
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742

Comment 86 errata-xmlrpc 2023-06-26 01:15:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613

Comment 88 errata-xmlrpc 2023-08-23 16:42:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:4674 https://access.redhat.com/errata/RHSA-2023:4674

Comment 89 errata-xmlrpc 2023-08-30 19:56:20 UTC
This issue has been addressed in the following products:

  Ironic content for Red Hat OpenShift Container Platform 4.13
  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4734 https://access.redhat.com/errata/RHSA-2023:4734

Comment 91 errata-xmlrpc 2023-10-31 14:02:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5009 https://access.redhat.com/errata/RHSA-2023:5009

Comment 92 errata-xmlrpc 2024-01-10 11:27:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121

Comment 96 errata-xmlrpc 2024-05-21 14:06:43 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:2944 https://access.redhat.com/errata/RHSA-2024:2944


Note You need to log in before you can comment on or make changes to this bug.