Bug 2132868 (CVE-2022-2880) - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
Summary: CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unpa...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-2880
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2138888 2132876 2132877 2133915 2133916 2133917 2133920 2133922 2133923 2133925 2133926 2133927 2134346 2134405 2134406 2134407 2134441 2134442 2134443 2134445 2134446 2134447 2134448 2134449 2134450 2134453 2134454 2134455 2134456 2134457 2134471 2134472 2134473 2134474 2134475 2134476 2134477 2136717 2136718 2136719 2136720 2136721 2136722 2136723 2136835 2136839 2136841 2136843 2136849 2138889
Blocks: 2132475
TreeView+ depends on / blocked
 
Reported: 2022-10-07 04:54 UTC by Avinash Hanwate
Modified: 2024-04-02 15:27 UTC (History)
114 users (show)

Fixed In Version: go 1.19.2, go 1.18.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang package, where requests forwarded by reverse proxy include the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This issue could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value. After the fix, the reverse proxy sanitizes the query parameters in the forwarded query when the outbound request's form field is set after the reverse proxy. The director function returns, indicating that the proxy has parsed the query parameters. Proxies that do not parse query parameters continue to forward the original query parameters unchanged.
Clone Of:
Environment:
Last Closed: 2023-05-18 19:42:27 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7398 0 None None None 2023-01-17 14:51:36 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:37:34 UTC
Red Hat Product Errata RHSA-2022:8781 0 None None None 2022-12-08 07:37:59 UTC
Red Hat Product Errata RHSA-2023:0264 0 None None None 2023-01-19 11:04:41 UTC
Red Hat Product Errata RHSA-2023:0328 0 None None None 2023-01-23 15:20:28 UTC
Red Hat Product Errata RHSA-2023:0445 0 None None None 2023-01-25 08:31:04 UTC
Red Hat Product Errata RHSA-2023:0446 0 None None None 2023-01-25 09:16:00 UTC
Red Hat Product Errata RHSA-2023:0542 0 None None None 2023-01-30 17:21:03 UTC
Red Hat Product Errata RHSA-2023:0584 0 None None None 2023-05-18 14:27:58 UTC
Red Hat Product Errata RHSA-2023:0631 0 None None None 2023-02-07 17:24:17 UTC
Red Hat Product Errata RHSA-2023:0693 0 None None None 2023-02-09 02:17:32 UTC
Red Hat Product Errata RHSA-2023:0708 0 None None None 2023-02-09 09:26:10 UTC
Red Hat Product Errata RHSA-2023:0709 0 None None None 2023-02-09 12:05:40 UTC
Red Hat Product Errata RHSA-2023:0727 0 None None None 2023-02-16 14:14:20 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:40:53 UTC
Red Hat Product Errata RHSA-2023:1174 0 None None None 2023-03-09 01:25:08 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:56:02 UTC
Red Hat Product Errata RHSA-2023:2167 0 None None None 2023-05-09 07:13:50 UTC
Red Hat Product Errata RHSA-2023:2204 0 None None None 2023-05-09 07:17:51 UTC
Red Hat Product Errata RHSA-2023:2357 0 None None None 2023-05-09 07:35:19 UTC
Red Hat Product Errata RHSA-2023:2780 0 None None None 2023-05-16 08:11:54 UTC
Red Hat Product Errata RHSA-2023:2784 0 None None None 2023-05-16 08:12:25 UTC
Red Hat Product Errata RHSA-2023:2866 0 None None None 2023-05-16 08:21:54 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:55:33 UTC
Red Hat Product Errata RHSA-2023:3613 0 None None None 2023-06-26 01:16:02 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:01:15 UTC
Red Hat Product Errata RHSA-2023:3664 0 None None None 2023-06-19 10:33:08 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:52:01 UTC
Red Hat Product Errata RHSA-2023:4003 0 None None None 2023-07-10 08:51:11 UTC
Red Hat Product Errata RHSA-2024:0121 0 None None None 2024-01-10 11:27:52 UTC

Description Avinash Hanwate 2022-10-07 04:54:12 UTC 
Requests forwarded by ReverseProxy included the raw query parameters from the inbound request, including unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy forwards a parameter with an unparseable value.

ReverseProxy will now sanitize the query parameters in the forwarded query when the outbound request's Form field is set after the ReverseProxy.Director function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse query parameters continue to forward the original query parameters unchanged.

Ref: https://groups.google.com/g/golang-announce/c/xtuG5faxtaU?pli=1
Comment 1 Avinash Hanwate 2022-10-07 05:05:31 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2132876]
Affects: fedora-all [bug 2132877]
Comment 10 TEJ RATHI 2022-10-13 13:28:39 UTC 
References:
https://github.com/golang/go/issues/54663

Upstream Commits:
Master : https://github.com/golang/go/commit/7c84234142149bd24a4096c6cab691d3593f3431
branch.go1.18 : https://github.com/golang/go/commit/9d2c73a9fd69e45876509bb3bdb2af99bf77da1e
branch.go1.19 : https://github.com/golang/go/commit/f6d844510d5f1e3b3098eba255d9b633d45eac3b
Comment 17 errata-xmlrpc 2022-12-08 07:37:53 UTC 
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781
Comment 36 errata-xmlrpc 2023-01-17 14:51:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398
Comment 37 errata-xmlrpc 2023-01-17 19:37:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399
Comment 38 errata-xmlrpc 2023-01-19 11:04:36 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264
Comment 42 errata-xmlrpc 2023-01-23 15:20:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0328 https://access.redhat.com/errata/RHSA-2023:0328
Comment 43 errata-xmlrpc 2023-01-25 08:31:00 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2023:0445 https://access.redhat.com/errata/RHSA-2023:0445
Comment 44 errata-xmlrpc 2023-01-25 09:15:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0446 https://access.redhat.com/errata/RHSA-2023:0446
Comment 45 errata-xmlrpc 2023-01-30 17:20:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542
Comment 53 errata-xmlrpc 2023-02-07 17:24:12 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:0631 https://access.redhat.com/errata/RHSA-2023:0631
Comment 55 errata-xmlrpc 2023-02-09 02:17:27 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
Comment 56 errata-xmlrpc 2023-02-09 09:26:06 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:0708 https://access.redhat.com/errata/RHSA-2023:0708
Comment 57 errata-xmlrpc 2023-02-09 12:05:36 UTC 
This issue has been addressed in the following products:

  RHOSS-1.27-RHEL-8

Via RHSA-2023:0709 https://access.redhat.com/errata/RHSA-2023:0709
Comment 58 errata-xmlrpc 2023-02-16 14:14:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:0727 https://access.redhat.com/errata/RHSA-2023:0727
Comment 60 errata-xmlrpc 2023-03-06 18:40:47 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 61 errata-xmlrpc 2023-03-09 01:25:02 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:1174 https://access.redhat.com/errata/RHSA-2023:1174
Comment 64 errata-xmlrpc 2023-03-15 19:55:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 65 errata-xmlrpc 2023-05-09 07:13:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2167 https://access.redhat.com/errata/RHSA-2023:2167
Comment 66 errata-xmlrpc 2023-05-09 07:17:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2204 https://access.redhat.com/errata/RHSA-2023:2204
Comment 67 errata-xmlrpc 2023-05-09 07:35:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357
Comment 70 errata-xmlrpc 2023-05-16 08:11:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2780 https://access.redhat.com/errata/RHSA-2023:2780
Comment 71 errata-xmlrpc 2023-05-16 08:12:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2784 https://access.redhat.com/errata/RHSA-2023:2784
Comment 72 errata-xmlrpc 2023-05-16 08:21:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2866 https://access.redhat.com/errata/RHSA-2023:2866
Comment 74 errata-xmlrpc 2023-05-18 02:55:28 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205
Comment 75 errata-xmlrpc 2023-05-18 14:27:53 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
Comment 76 Product Security DevOps Team 2023-05-18 19:42:22 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2880
Comment 77 errata-xmlrpc 2023-06-15 16:01:08 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 79 errata-xmlrpc 2023-06-19 10:33:02 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3664 https://access.redhat.com/errata/RHSA-2023:3664
Comment 80 errata-xmlrpc 2023-06-22 19:51:56 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Comment 81 errata-xmlrpc 2023-06-26 01:15:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613
Comment 82 errata-xmlrpc 2023-07-10 08:51:06 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 84 errata-xmlrpc 2024-01-10 11:27:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0121 https://access.redhat.com/errata/RHSA-2024:0121
Note You need to log in before you can comment on or make changes to this bug.