Bug 1958341 (CVE-2021-31525) - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
Summary: CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when r...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-31525
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1961024 1962146 1962147 1962148 1962149 1962150 1958342 1958343 1959244 1959245 1959246 1959247 1959248 1959249 1959251 1959252 1959253 1959259 1959266 1959347 1959496 1959497 1959498 1959499 1959500 1959502 1959503 1959504 1959616 1959617 1961022 1961023 1961255 1961256 1961257 1961258 1961259 1961260 1961261 1961262 1961263 1961264 1961266 1961267 1961268 1961269 1961270 1961271 1961272 1961273 1961274 1961275 1961276 1961277 1961278 1961279 1961280 1961281 1961282 1961283 1961284 1961285 1961286 1961287 1961297 1962136 1962137 1962138 1962141 1962142 1962151 1962248 1963092 1963093 1963094 1963095 1963096 1963097 1963098 1970183 1990703
Blocks: 1958344
TreeView+ depends on / blocked
 
Reported: 2021-05-07 16:49 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-01 00:06 UTC (History)
119 users (show)

Fixed In Version: golang 1.17.0, golang 1.16.4, golang 1.15.12
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was detected in net/http of the Go standard library when parsing very large HTTP header values, causing a crash and subsequent denial of service. This vulnerability affects both clients and servers written in Go, however, servers are only vulnerable if the value of MaxHeaderBytes has been increased from the default.
Clone Of:
Environment:
Last Closed: 2021-07-13 21:54:51 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2704 0 None None None 2021-07-13 16:54:10 UTC
Red Hat Product Errata RHSA-2021:2705 0 None None None 2021-07-13 21:43:57 UTC
Red Hat Product Errata RHSA-2021:2983 0 None None None 2021-08-10 11:26:52 UTC
Red Hat Product Errata RHSA-2021:2984 0 None None None 2021-08-10 07:50:00 UTC
Red Hat Product Errata RHSA-2021:3076 0 None None None 2021-08-10 13:58:10 UTC
Red Hat Product Errata RHSA-2021:3248 0 None None None 2021-08-31 14:59:32 UTC
Red Hat Product Errata RHSA-2021:3487 0 None None None 2021-09-15 06:38:42 UTC
Red Hat Product Errata RHSA-2021:3733 0 None None None 2021-10-05 17:35:43 UTC
Red Hat Product Errata RHSA-2021:3748 0 None None None 2021-10-07 14:18:02 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:28:29 UTC
Red Hat Product Errata RHSA-2021:4103 0 None None None 2021-11-02 13:31:43 UTC
Red Hat Product Errata RHSA-2021:4104 0 None None None 2021-11-02 15:57:06 UTC
Red Hat Product Errata RHSA-2021:5072 0 None None None 2021-12-09 20:17:05 UTC
Red Hat Product Errata RHSA-2022:0191 0 None None None 2022-01-19 17:49:37 UTC
Red Hat Product Errata RHSA-2022:0308 0 None None None 2022-01-27 13:12:07 UTC
Red Hat Product Errata RHSA-2022:0577 0 None None None 2022-03-28 09:36:00 UTC

Description Guilherme de Almeida Suckevicz 2021-05-07 16:49:44 UTC 
ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server.  Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client.

Reference:
https://github.com/golang/go/issues/45710
Comment 1 Guilherme de Almeida Suckevicz 2021-05-07 16:50:35 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1958342]
Affects: fedora-all [bug 1958343]
Comment 3 Sam Fowler 2021-05-11 02:12:22 UTC 
Upstream patch:

https://go-review.googlesource.com/c/net/+/313069/
Comment 4 Sam Fowler 2021-05-11 02:14:19 UTC 
In the Go standard library, the affected function is only called when parsing the "Connection" header:

https://github.com/golang/go/search?q=headervaluescontainstoken

In golang.org/x/net, the affected function is called when parsing either the "Connection" or "Upgrade" headers:

https://github.com/golang/net/search?q=headervaluescontainstoken
Comment 5 Sam Fowler 2021-05-11 02:33:10 UTC 
External References:

https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc
Comment 7 Sam Fowler 2021-05-11 05:05:36 UTC 
Results for checking changes to MaxHeaderBytes in OpenShift:

https://gist.github.com/sfowl/d9f02030bcf92630f6c864924838cf09

No component uses an unsafe value, so we can say with high confidence that no OpenShift server side component is vulnerable to malicious clients.
Comment 12 Sam Fowler 2021-05-11 06:56:29 UTC 
Upstream kubernetes issue:

https://github.com/kubernetes/release/issues/2060
Comment 15 Przemyslaw Roguski 2021-05-11 17:04:54 UTC 
Statement:

This vulnerability potentially affects any component written in Go that uses net/http from the standard library. In OpenShift Container Platform (OCP) and OpenShift distributed tracing (formerly OpenShift Jaeger), no server side component allows HTTP header values larger than 1 MB (the default), preventing this vulnerability from being exploited by malicious clients. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for all OpenShift Container Platform and OpenShift distributed tracing components.
Comment 17 Summer Long 2021-05-17 05:01:54 UTC 
Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 1961024]
Comment 36 errata-xmlrpc 2021-07-13 16:54:07 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2021:2704 https://access.redhat.com/errata/RHSA-2021:2704
Comment 37 errata-xmlrpc 2021-07-13 21:43:53 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.16

Via RHSA-2021:2705 https://access.redhat.com/errata/RHSA-2021:2705
Comment 38 Product Security DevOps Team 2021-07-13 21:54:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31525
Comment 42 errata-xmlrpc 2021-08-10 07:49:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2984 https://access.redhat.com/errata/RHSA-2021:2984
Comment 43 errata-xmlrpc 2021-08-10 11:26:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2983 https://access.redhat.com/errata/RHSA-2021:2983
Comment 44 errata-xmlrpc 2021-08-10 13:58:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3076 https://access.redhat.com/errata/RHSA-2021:3076
Comment 45 ximhan 2021-08-20 07:44:34 UTC 
OpenShift engineering has decided to NOT ship 4.8.6 on 8/23 due to the following issue.
https://bugzilla.redhat.com/show_bug.cgi?id=1995785
All the fixes part will be now included in 4.8.7 on 8/30.
Comment 48 Richard Theis 2021-08-25 20:17:14 UTC 
Hi folks, where do we find the status of these fixes for OpenShift versions 4.6 and 4.7?
Comment 49 errata-xmlrpc 2021-08-31 14:59:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:3248 https://access.redhat.com/errata/RHSA-2021:3248
Comment 50 errata-xmlrpc 2021-09-15 06:38:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2021:3487 https://access.redhat.com/errata/RHSA-2021:3487
Comment 51 errata-xmlrpc 2021-10-05 17:35:38 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:3733 https://access.redhat.com/errata/RHSA-2021:3733
Comment 52 errata-xmlrpc 2021-10-07 14:17:57 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2021:3748 https://access.redhat.com/errata/RHSA-2021:3748
Comment 55 errata-xmlrpc 2021-10-18 17:28:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759
Comment 56 errata-xmlrpc 2021-11-02 13:31:37 UTC 
This issue has been addressed in the following products:

  RHEL-7-CNV-4.9
  RHEL-8-CNV-4.9

Via RHSA-2021:4103 https://access.redhat.com/errata/RHSA-2021:4103
Comment 57 errata-xmlrpc 2021-11-02 15:57:02 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.9

Via RHSA-2021:4104 https://access.redhat.com/errata/RHSA-2021:4104
Comment 58 errata-xmlrpc 2021-12-09 20:16:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:5072 https://access.redhat.com/errata/RHSA-2021:5072
Comment 59 errata-xmlrpc 2022-01-19 17:49:30 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.9

Via RHSA-2022:0191 https://access.redhat.com/errata/RHSA-2022:0191
Comment 60 errata-xmlrpc 2022-01-27 13:12:00 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7
  Native Client for RHEL 7 for Red Hat Storage

Via RHSA-2022:0308 https://access.redhat.com/errata/RHSA-2022:0308
Comment 62 errata-xmlrpc 2022-03-28 09:35:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577
Note You need to log in before you can comment on or make changes to this bug.