Bug 2309710 (CVE-2024-8421) - CVE-2024-8421 golang.org/x/net/http2: Multiple HTTP/2 enabled web servers (Rapid Reset Attack) [NEEDINFO]
Summary: CVE-2024-8421 golang.org/x/net/http2: Multiple HTTP/2 enabled web servers (Ra...
Keywords:
Status: NEW
Alias: CVE-2024-8421
Product: Security Response
Classification: Other
Component: vulnerability-draft
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2309722 2309723 2309725 2309726 2309727 2309952 2309953 2309954 2309955 2309956 2309957 2309958 2310011 2310053 2310054 2310078 2310102 2310103 2310104 2310105 2310106 2310107 2310108 2310109 2311657 2311658 2309959 2309960 2309961 2309962 2309963 2309964 2309965 2309966 2309967 2309968 2309969 2309970 2309971 2309972 2309973 2309974 2309975 2309976 2309977 2309978 2309979 2309980 2309981 2309982 2309983 2309984 2309985 2309986 2309987 2309988 2309989 2309990 2309991 2309992 2309993 2309994 2309995 2309996 2309997 2309998 2309999 2310000 2310001 2310002 2310003 2310004 2310005 2310006 2310007 2310008 2310009 2310010 2310012 2310013 2310014 2310015 2310016 2310017 2310018 2310019 2310020 2310021 2310022 2310023 2310024 2310025 2310026 2310027 2310028 2310029 2310030 2310031 2310032 2310033 2310034 2310035 2310036 2310037 2310038 2310039 2310040 2310041 2310042 2310043 2310044 2310045 2310046 2310047 2310048 2310049 2310050 2310051 2310052 2310055 2310056 2310057 2310059 2310060 2310061 2310062 2310064 2310066 2310068 2310069 2310070 2310074 2310075 2310076 2310077 2310079 2310080
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-09-04 14:00 UTC by OSIDB Bzimport
Modified: 2024-10-30 18:12 UTC (History)
157 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:
snikolov: needinfo? (subhro)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:6755 0 None None None 2024-09-18 11:56:45 UTC

Description OSIDB Bzimport 2024-09-04 14:00:49 UTC
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

Comment 6 Lon Hohberger 2024-09-09 14:10:55 UTC
https://pkg.go.dev/golang.org/x/net?tab=versions

Is it accurate to say that anything that has rebased golang x/net to >= 0.22.0 resolves this issue?

Comment 7 Mark S. Lewis 2024-09-13 09:12:05 UTC
(In reply to Lon Hohberger from comment #6)
> https://pkg.go.dev/golang.org/x/net?tab=versions
> 
> Is it accurate to say that anything that has rebased golang x/net to >=
> 0.22.0 resolves this issue?

The history log for this bug states that it is a RedHat-specific CVE related to CVE-2023-39325, which was fixed in golang.org/x/net/http2 v0.17.0. See here:

https://pkg.go.dev/vuln/GO-2023-2102

The history log goes on to say, "Red Hat has come to the conclusion that this CVE is not needed", so it seems (to me) that it can be ignored, provided you are at at least these Go versions:

- go1.20.10 (net/http)
- go1.21.3 (net/http)
- golang.org/x/net/http2.0

Of course you also need golang.org/x/net/http2.0 or later to avoid CVE-2023-45288, and go1.22.5 or later to avoid CVE-2024-24791.

Comment 8 errata-xmlrpc 2024-09-18 11:56:35 UTC
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755


Note You need to log in before you can comment on or make changes to this bug.