Bug 2295310 (CVE-2024-24791) - CVE-2024-24791 net/http: Denial of service due to improper 100-continue handling in net/http [NEEDINFO]
Summary: CVE-2024-24791 net/http: Denial of service due to improper 100-continue handl...
Keywords:
Status: NEW
Alias: CVE-2024-24791
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2297318 2297321 2297323 2297325 2297326 2297328 2297619 2297620 2297320 2297324 2297327 2297329
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-02 22:00 UTC by OSIDB Bzimport
Modified: 2024-10-03 15:28 UTC (History)
149 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Go. The net/http module mishandles specific server responses from HTTP/1.1 client requests. This issue may render a connection invalid and cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:
debarshir: needinfo? (ahanwate)
debarshir: needinfo? (psampaio)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:7096 0 None None None 2024-09-25 06:51:56 UTC
Red Hat Product Errata RHBA-2024:7353 0 None None None 2024-09-30 03:52:27 UTC
Red Hat Product Errata RHSA-2024:5537 0 None None None 2024-08-19 06:09:51 UTC
Red Hat Product Errata RHSA-2024:6462 0 None None None 2024-09-09 00:49:23 UTC
Red Hat Product Errata RHSA-2024:6908 0 None None None 2024-09-23 01:47:20 UTC
Red Hat Product Errata RHSA-2024:6912 0 None None None 2024-09-23 01:52:44 UTC
Red Hat Product Errata RHSA-2024:6913 0 None None None 2024-09-23 01:48:14 UTC
Red Hat Product Errata RHSA-2024:6914 0 None None None 2024-09-23 01:37:18 UTC
Red Hat Product Errata RHSA-2024:6969 0 None None None 2024-09-24 03:21:50 UTC
Red Hat Product Errata RHSA-2024:7074 0 None None None 2024-09-25 00:44:41 UTC
Red Hat Product Errata RHSA-2024:7348 0 None None None 2024-09-30 00:50:49 UTC
Red Hat Product Errata RHSA-2024:7349 0 None None None 2024-09-30 01:21:40 UTC

Description OSIDB Bzimport 2024-07-02 22:00:22 UTC
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Comment 1 Pedro Sampaio 2024-07-11 14:10:26 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2297318]

Comment 12 Debarshi Ray 2024-08-09 15:15:34 UTC
There is something wrong with this CVE tracker bug.

The CVE is in Go's standard net/http package, which is part of the golang RPM.  However, I don't see any mention of golang here.  I also don't see any mention of prominent RPMs that use Go and might need to rebuilt against a golang, where the CVE is fixed.  eg., podman and toolbox.  However, I do know about the existence of two toolbox Jira issues that were filed for this CVE:
https://issues.redhat.com/browse/RHEL-47194
https://issues.redhat.com/browse/RHEL-47199

So, it seems like something went wrong where this tracker bug doesn't depend on all the corresponding child issues and bugs.

This isn't just an academic problem, because I use this metadata to figure out the corresponding golang issues to know when the CVE would get fixed in golang, so that builds can be done against it.

Comment 13 Debarshi Ray 2024-08-09 15:35:41 UTC
(In reply to Debarshi Ray from comment #12)
> There is something wrong with this CVE tracker bug.
> 
> The CVE is in Go's standard net/http package, which is part of the golang
> RPM.  However, I don't see any mention of golang here.  I also don't see any
> mention of prominent RPMs that use Go and might need to rebuilt against a
> golang, where the CVE is fixed.  eg., podman and toolbox.  However, I do
> know about the existence of two toolbox Jira issues that were filed for this
> CVE:
> https://issues.redhat.com/browse/RHEL-47194
> https://issues.redhat.com/browse/RHEL-47199

I did some digging, and the corresponding golang bugs are:
https://issues.redhat.com/browse/RHEL-47200
https://issues.redhat.com/browse/RHEL-47161

Comment 14 errata-xmlrpc 2024-08-19 06:09:43 UTC
This issue has been addressed in the following products:

  Cryostat 3 on RHEL 8

Via RHSA-2024:5537 https://access.redhat.com/errata/RHSA-2024:5537

Comment 17 errata-xmlrpc 2024-09-09 00:49:14 UTC
This issue has been addressed in the following products:

  Cost Management for RHEL 8

Via RHSA-2024:6462 https://access.redhat.com/errata/RHSA-2024:6462

Comment 19 errata-xmlrpc 2024-09-23 01:37:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:6914 https://access.redhat.com/errata/RHSA-2024:6914

Comment 20 errata-xmlrpc 2024-09-23 01:47:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6908 https://access.redhat.com/errata/RHSA-2024:6908

Comment 21 errata-xmlrpc 2024-09-23 01:48:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6913 https://access.redhat.com/errata/RHSA-2024:6913

Comment 22 errata-xmlrpc 2024-09-23 01:52:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:6912 https://access.redhat.com/errata/RHSA-2024:6912

Comment 23 errata-xmlrpc 2024-09-24 03:21:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6969 https://access.redhat.com/errata/RHSA-2024:6969

Comment 24 errata-xmlrpc 2024-09-25 00:44:32 UTC
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:7074 https://access.redhat.com/errata/RHSA-2024:7074

Comment 25 errata-xmlrpc 2024-09-30 00:50:40 UTC
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2024:7348 https://access.redhat.com/errata/RHSA-2024:7348

Comment 26 errata-xmlrpc 2024-09-30 01:21:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:7349 https://access.redhat.com/errata/RHSA-2024:7349


Note You need to log in before you can comment on or make changes to this bug.