Bug 1755969 (CVE-2019-16276) - CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads to filter bypass or request smuggling
Summary: CVE-2019-16276 golang: HTTP/1.1 headers with a space before the colon leads t...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16276
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1759839 1760813 1760814 1793751 1793752 1793753 1793754 1793755 1793756 1793757 1793758 1793759 1793760 1793761 1793762 1793763 1793764 1793765 1793767 1793768 1793769 1793770 1793771 1793772 1793773 1793774 1793775 1793776 1793777 1793778 1793779 1793780 1793781 1793782 1793783 1793785 1793786 1793788 1793789 1793790 1793791 1793792 1793793 1793794 1793795 1793796 1793797 1793798 1793799 1793800 1793801 1793802 1793809 1793810 1793811 1793812 1793813 1793814 1793815 1793816 1793817 1793818 1793819 1793820 1793821 1793822 1793823 1793824 1793825 1793826 1793827 1793828 1793829 1793830 1793831 1793832 1793833 1793835 1793836 1793837 1793838 1793839 1793840 1793841 1793842 1793843 1793844 1793845 1807699 1755970 1755971 1759840 1760815 1785351 1785665
Blocks: 1755973
TreeView+ depends on / blocked
 
Reported: 2019-09-26 14:10 UTC by Dhananjay Arunesh
Modified: 2020-02-27 03:43 UTC (History)
30 users (show)

Fixed In Version: Go 1.13.1, Go 1.12.10
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that net/http (through net/textproto) in golang does not correctly interpret HTTP requests where an HTTP header contains spaces before the colon. This could be abused by an attacker to smuggle HTTP requests when a proxy or a firewall is placed behind a server implemented in Go or to filter bypasses depending on the specific network configuration.
Clone Of:
Environment:
Last Closed: 2020-01-14 14:09:29 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0101 None None None 2020-01-14 08:44:24 UTC
Red Hat Product Errata RHSA-2020:0329 None None None 2020-02-04 10:35:48 UTC

Description Dhananjay Arunesh 2019-09-26 14:10:19 UTC
As announced by Go upstream on 2019-09-25: net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications

Reference:
https://github.com/golang/go/issues/34540

Comment 1 Dhananjay Arunesh 2019-09-26 14:11:51 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1755971]
Affects: fedora-all [bug 1755970]

Comment 2 Dhananjay Arunesh 2019-09-26 14:18:06 UTC
External References:

https://groups.google.com/forum/#!msg/golang-announce/cszieYyuL9Q/g4Z7pKaqAgAJ

Comment 5 Riccardo Schirone 2019-10-09 07:42:08 UTC
Function ReadMIMEHeader() in src/net/textproto/reader.go was trying to parse headers where the colon between the key and the value is preceded by trailing whitespaces, trying to be more flexible. However, this could be abused in some particular settings to smuggle HTTP requests, so the patch makes the parsing less flexible, in favor of more consistent behavior.

Comment 10 errata-xmlrpc 2020-01-14 08:44:21 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2020:0101 https://access.redhat.com/errata/RHSA-2020:0101

Comment 11 Product Security DevOps Team 2020-01-14 14:09:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16276

Comment 17 Sam Fowler 2020-01-22 04:44:16 UTC
Statement:

* This issue affects the versions of golang as shipped with Red Hat Enterprise Linux 7, however it was deprecated in Red Hat Enterprise Linux 7.6 and it does not receive updates anymore. Developers are encouraged to use the Go Toolset instead, which is available through the Red Hat Developer program. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.6_release_notes/chap-red_hat_enterprise_linux-7.6_release_notes-other_deprecated_functionality#idm140555585405248.
* The version of golang provided in Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3 allows filter bypasses or request smuggling and contains the vulnerable code hence affected by this vulnerability.
* In OpenShift Container Platform, all packages and container images built with a vulnerable version of Go and use the net/http package are affected by this flaw.

Comment 18 errata-xmlrpc 2020-02-04 10:35:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0329 https://access.redhat.com/errata/RHSA-2020:0329


Note You need to log in before you can comment on or make changes to this bug.