Bug 1755969 (CVE-2019-16276) - CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling
Summary: CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16276
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1755970 1755971 1759839 1759840 1760813 1760814 1760815 1785351 1785665 1793751 1793752 1793753 1793754 1793755 1793756 1793757 1793758 1793759 1793760 1793761 1793762 1793764 1793765 1793767 1793768 1793769 1793770 1793771 1793772 1793773 1793774 1793775 1793776 1793777 1793778 1793779 1793780 1793781 1793782 1793783 1793785 1793786 1793788 1793789 1793790 1793791 1793792 1793793 1793794 1793795 1793796 1793797 1793798 1793799 1793800 1793801 1793802 1793809 1793810 1793811 1793812 1793813 1793814 1793815 1793816 1793817 1793818 1793819 1793820 1793821 1793822 1793823 1793824 1793825 1793826 1793827 1793828 1793829 1793830 1793831 1793832 1793833 1793835 1793836 1793837 1793838 1793839 1793840 1793841 1793842 1793843 1793844 1793845 1807699 1878637
Blocks: 1755973
TreeView+ depends on / blocked
 
Reported: 2019-09-26 14:10 UTC by Dhananjay Arunesh
Modified: 2023-10-06 18:36 UTC (History)
55 users (show)

Fixed In Version: Go 1.13.1, Go 1.12.10
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.
Clone Of:
Environment:
Last Closed: 2020-01-14 14:09:29 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0101 0 None None None 2020-01-14 08:44:24 UTC
Red Hat Product Errata RHSA-2020:0329 0 None None None 2020-02-04 10:35:48 UTC
Red Hat Product Errata RHSA-2020:0652 0 None None None 2020-03-05 20:38:27 UTC

Description Dhananjay Arunesh 2019-09-26 14:10:19 UTC 
As announced by Go upstream on 2019-09-25: net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications

Reference:
https://github.com/golang/go/issues/34540
Comment 1 Dhananjay Arunesh 2019-09-26 14:11:51 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1755971]
Affects: fedora-all [bug 1755970]
Comment 2 Dhananjay Arunesh 2019-09-26 14:18:06 UTC 
External References:

https://groups.google.com/forum/#!msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ
Comment 3 Riccardo Schirone 2019-10-08 13:08:39 UTC 
Upstream fix:
https://github.com/golang/go/commit/41b1f88efab9d263408448bf139659119002ea50 [master branch]
https://github.com/golang/go/commit/6e6f4aaf70c8b1cc81e65a26332aa9409de03ad8 [release-branch.go1.12 branch]
https://github.com/golang/go/commit/5a6ab1ec3e678640befebeb3318b746a64ad986c [release-branch.go1.13 branch]
Comment 5 Riccardo Schirone 2019-10-09 07:42:08 UTC 
Function ReadMIMEHeader() in src/net/textproto/reader.go was trying to parse headers where the colon between the key and the value is preceded by trailing whitespaces, trying to be more flexible. However, this could be abused in some particular settings to smuggle HTTP requests, so the patch makes the parsing less flexible, in favor of more consistent behavior.
Comment 10 errata-xmlrpc 2020-01-14 08:44:21 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:0101 https://access.redhat.com/errata/RHSA-2020:0101
Comment 11 Product Security DevOps Team 2020-01-14 14:09:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16276
Comment 17 Sam Fowler 2020-01-22 04:44:16 UTC 
Statement:

* This issue affects the versions of golang as shipped with Red Hat Enterprise Linux 7, however it was deprecated in Red Hat Enterprise Linux 7.6 and it does not receive updates anymore. Developers are encouraged to use the Go Toolset instead, which is available through the Red Hat Developer program. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/chap-red_hat_enterprise_linux-7.6_release_notes-other_deprecated_functionality#idm140555585405248.
* The version of golang provided in Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3 allows filter bypasses or request smuggling and contains the vulnerable code hence affected by this vulnerability.
* In OpenShift Container Platform, all packages and container images built with a vulnerable version of Go and use the net/http package are affected by this flaw.
Comment 18 errata-xmlrpc 2020-02-04 10:35:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0329 https://access.redhat.com/errata/RHSA-2020:0329
Comment 19 errata-xmlrpc 2020-03-05 20:38:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:0652 https://access.redhat.com/errata/RHSA-2020:0652
Note You need to log in before you can comment on or make changes to this bug.