Bug 2178488 (CVE-2022-41725) - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
Summary: CVE-2022-41725 golang: net/http, mime/multipart: denial of service from exces...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-41725
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2178493 2178494 2179228 2179229 2179230 2179231 2179232 2179233 2179234 2179237 2179238 2179239 2179240 2179241 2179242 2179243 2179244 2179245 2179246 2179925 2179926 2179927 2179935 2179936 2179937 2179938 2179939 2179943 2179944 2179945 2179946 2179947 2179948 2179949 2179950 2179951 2179952 2179953 2179954 2179955 2179956 2179957 2179958 2179959 2179960 2179961 2179962 2179963 2179964 2179965 2179966 2179967 2179968 2179969
Blocks: 2169910
TreeView+ depends on / blocked
 
Reported: 2023-03-15 04:55 UTC by Avinash Hanwate
Modified: 2024-04-02 15:27 UTC (History)
148 users (show)

Fixed In Version: golang 1.20.1, golang 1.19.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Go, where it is vulnerable to a denial of service caused by an excessive resource consumption flaw in the net/http and mime/multipart packages. By sending a specially-crafted request, a remote attacker can cause a denial of service.
Clone Of:
Environment:
Last Closed: 2023-06-06 04:56:45 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6108 0 None None None 2023-10-25 12:15:30 UTC
Red Hat Product Errata RHSA-2023:0584 0 None None None 2023-05-18 14:28:09 UTC
Red Hat Product Errata RHSA-2023:1325 0 None None None 2023-05-17 22:54:00 UTC
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:31:42 UTC
Red Hat Product Errata RHSA-2023:1639 0 None None None 2023-04-05 01:15:11 UTC
Red Hat Product Errata RHSA-2023:1817 0 None None None 2023-04-18 01:01:41 UTC
Red Hat Product Errata RHSA-2023:2107 0 None None None 2023-05-04 01:50:17 UTC
Red Hat Product Errata RHSA-2023:3083 0 None None None 2023-05-16 09:59:23 UTC
Red Hat Product Errata RHSA-2023:3167 0 None None None 2023-05-18 11:34:18 UTC
Red Hat Product Errata RHSA-2023:3445 0 None None None 2023-06-05 14:08:07 UTC
Red Hat Product Errata RHSA-2023:3450 0 None None None 2023-06-05 16:44:24 UTC
Red Hat Product Errata RHSA-2023:3455 0 None None None 2023-06-05 23:42:52 UTC
Red Hat Product Errata RHSA-2023:3612 0 None None None 2023-06-23 04:39:45 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:52:29 UTC
Red Hat Product Errata RHSA-2023:4003 0 None None None 2023-07-10 08:51:21 UTC
Red Hat Product Errata RHSA-2023:4335 0 None None None 2023-08-08 00:36:27 UTC
Red Hat Product Errata RHSA-2023:4470 0 None None None 2023-08-03 14:12:43 UTC
Red Hat Product Errata RHSA-2023:4627 0 None None None 2023-08-14 01:02:43 UTC
Red Hat Product Errata RHSA-2023:5935 0 None None None 2023-10-19 16:50:30 UTC
Red Hat Product Errata RHSA-2023:5964 0 None None None 2023-10-20 14:57:09 UTC
Red Hat Product Errata RHSA-2023:6346 0 None None None 2023-11-07 08:13:31 UTC
Red Hat Product Errata RHSA-2023:6363 0 None None None 2023-11-07 08:14:02 UTC
Red Hat Product Errata RHSA-2023:6402 0 None None None 2023-11-07 08:15:50 UTC
Red Hat Product Errata RHSA-2023:6473 0 None None None 2023-11-07 08:17:06 UTC
Red Hat Product Errata RHSA-2023:6474 0 None None None 2023-11-07 08:17:37 UTC
Red Hat Product Errata RHSA-2023:6817 0 None None None 2023-11-08 14:03:42 UTC
Red Hat Product Errata RHSA-2023:6938 0 None None None 2023-11-14 15:16:28 UTC
Red Hat Product Errata RHSA-2023:6939 0 None None None 2023-11-14 15:17:09 UTC
Red Hat Product Errata RHSA-2023:7672 0 None None None 2023-12-06 14:36:43 UTC

Description Avinash Hanwate 2023-03-15 04:55:12 UTC 
A denial of service is possible from excessive resource consumption in net/http and mime/multipart. Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory and disk files. This also affects form parsing in the net/http package with the Request methods FormFile, FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented as storing "up to maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts which cannot be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file parts is excessively large and can potentially open a denial of service vector on its own. However, ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead, part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory bytes of memory consumption. Users should still be aware that this limit is high and may still be hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form parts into a single temporary file. The mime/multipart.File interface type's documentation states, "If stored on disk, the File's underlying concrete type will be an *os.File.". This is no longer the case when a form contains more than one file part, due to this coalescing of parts into a single file. The previous behavior of using distinct files for each form part may be reenabled with the environment variable GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the size of form data with http.MaxBytesReader.

https://go.dev/issue/58006
https://go.dev/cl/468124
https://pkg.go.dev/vuln/GO-2023-1569
https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
Comment 1 Avinash Hanwate 2023-03-15 05:34:18 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2178493]
Affects: fedora-all [bug 2178494]
Comment 14 errata-xmlrpc 2023-04-05 01:15:04 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:1639 https://access.redhat.com/errata/RHSA-2023:1639
Comment 17 errata-xmlrpc 2023-04-18 01:01:37 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.2.0-RHEL-9

Via RHSA-2023:1817 https://access.redhat.com/errata/RHSA-2023:1817
Comment 20 errata-xmlrpc 2023-05-04 01:50:10 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:2107 https://access.redhat.com/errata/RHSA-2023:2107
Comment 24 errata-xmlrpc 2023-05-16 09:59:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3083 https://access.redhat.com/errata/RHSA-2023:3083
Comment 25 errata-xmlrpc 2023-05-17 22:31:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
Comment 26 errata-xmlrpc 2023-05-17 22:53:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325
Comment 27 errata-xmlrpc 2023-05-18 11:34:12 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2023:3167 https://access.redhat.com/errata/RHSA-2023:3167
Comment 28 errata-xmlrpc 2023-05-18 14:28:04 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
Comment 30 errata-xmlrpc 2023-06-05 14:08:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:3445 https://access.redhat.com/errata/RHSA-2023:3445
Comment 31 errata-xmlrpc 2023-06-05 16:44:18 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 32 errata-xmlrpc 2023-06-05 23:42:45 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 33 Product Security DevOps Team 2023-06-06 04:56:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41725
Comment 34 errata-xmlrpc 2023-06-22 19:52:22 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Comment 35 errata-xmlrpc 2023-06-23 04:39:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3612 https://access.redhat.com/errata/RHSA-2023:3612
Comment 36 errata-xmlrpc 2023-07-10 08:51:14 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 8
  Service Interconnect 1 for RHEL 9

Via RHSA-2023:4003 https://access.redhat.com/errata/RHSA-2023:4003
Comment 38 errata-xmlrpc 2023-08-03 14:12:35 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.3 for RHEL 8

Via RHSA-2023:4470 https://access.redhat.com/errata/RHSA-2023:4470
Comment 39 errata-xmlrpc 2023-08-08 00:36:20 UTC 
This issue has been addressed in the following products:

  CERT-MANAGER-1.10-RHEL-9

Via RHSA-2023:4335 https://access.redhat.com/errata/RHSA-2023:4335
Comment 40 errata-xmlrpc 2023-08-14 01:02:35 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 42 errata-xmlrpc 2023-10-19 16:50:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5935 https://access.redhat.com/errata/RHSA-2023:5935
Comment 43 errata-xmlrpc 2023-10-20 14:57:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2023:5964 https://access.redhat.com/errata/RHSA-2023:5964
Comment 44 errata-xmlrpc 2023-11-07 08:13:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346
Comment 45 errata-xmlrpc 2023-11-07 08:13:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6363 https://access.redhat.com/errata/RHSA-2023:6363
Comment 46 errata-xmlrpc 2023-11-07 08:15:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6402 https://access.redhat.com/errata/RHSA-2023:6402
Comment 47 errata-xmlrpc 2023-11-07 08:16:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473
Comment 48 errata-xmlrpc 2023-11-07 08:17:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474
Comment 49 errata-xmlrpc 2023-11-08 14:03:33 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.14

Via RHSA-2023:6817 https://access.redhat.com/errata/RHSA-2023:6817
Comment 50 errata-xmlrpc 2023-11-14 15:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938
Comment 51 errata-xmlrpc 2023-11-14 15:17:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Comment 53 errata-xmlrpc 2023-12-06 14:36:33 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.14

Via RHSA-2023:7672 https://access.redhat.com/errata/RHSA-2023:7672
Note You need to log in before you can comment on or make changes to this bug.