Hide Forgot
ReadRequest and ReadResponse in net/http can hit an unrecoverable panic when reading a very large header (over 7MB on 64-bit architectures, or over 4MB on 32-bit ones). Transport and Client are vulnerable and the program can be made to crash by a malicious server. Server is not vulnerable by default, but can be if the default max header of 1MB is overridden by setting Server.MaxHeaderBytes to a higher value, in which case the program can be made to crash by a malicious client. Reference: https://github.com/golang/go/issues/45710
Created golang tracking bugs for this issue: Affects: epel-all [bug 1958342] Affects: fedora-all [bug 1958343]
Upstream patch: https://go-review.googlesource.com/c/net/+/313069/
In the Go standard library, the affected function is only called when parsing the "Connection" header: https://github.com/golang/go/search?q=headervaluescontainstoken In golang.org/x/net, the affected function is called when parsing either the "Connection" or "Upgrade" headers: https://github.com/golang/net/search?q=headervaluescontainstoken
External References: https://groups.google.com/g/golang-announce/c/cu9SP4eSXMc
Results for checking changes to MaxHeaderBytes in OpenShift: https://gist.github.com/sfowl/d9f02030bcf92630f6c864924838cf09 No component uses an unsafe value, so we can say with high confidence that no OpenShift server side component is vulnerable to malicious clients.
Upstream kubernetes issue: https://github.com/kubernetes/release/issues/2060
Statement: This vulnerability potentially affects any component written in Go that uses net/http from the standard library. In OpenShift Container Platform (OCP) and OpenShift distributed tracing (formerly OpenShift Jaeger), no server side component allows HTTP header values larger than 1 MB (the default), preventing this vulnerability from being exploited by malicious clients. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for all OpenShift Container Platform and OpenShift distributed tracing components.
Created etcd tracking bugs for this issue: Affects: openstack-rdo [bug 1961024]
This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2021:2704 https://access.redhat.com/errata/RHSA-2021:2704
This issue has been addressed in the following products: Openshift Serveless 1.16 Via RHSA-2021:2705 https://access.redhat.com/errata/RHSA-2021:2705
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-31525
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2984 https://access.redhat.com/errata/RHSA-2021:2984
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2983 https://access.redhat.com/errata/RHSA-2021:2983
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3076 https://access.redhat.com/errata/RHSA-2021:3076
OpenShift engineering has decided to NOT ship 4.8.6 on 8/23 due to the following issue. https://bugzilla.redhat.com/show_bug.cgi?id=1995785 All the fixes part will be now included in 4.8.7 on 8/30.
Hi folks, where do we find the status of these fixes for OpenShift versions 4.6 and 4.7?
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:3248 https://access.redhat.com/errata/RHSA-2021:3248
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2021:3487 https://access.redhat.com/errata/RHSA-2021:3487
This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:3733 https://access.redhat.com/errata/RHSA-2021:3733
This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2021:3748 https://access.redhat.com/errata/RHSA-2021:3748
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759
This issue has been addressed in the following products: RHEL-7-CNV-4.9 RHEL-8-CNV-4.9 Via RHSA-2021:4103 https://access.redhat.com/errata/RHSA-2021:4103
This issue has been addressed in the following products: RHEL-8-CNV-4.9 Via RHSA-2021:4104 https://access.redhat.com/errata/RHSA-2021:4104
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2021:5072 https://access.redhat.com/errata/RHSA-2021:5072
This issue has been addressed in the following products: RHEL-8-CNV-4.9 Via RHSA-2022:0191 https://access.redhat.com/errata/RHSA-2022:0191
This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Native Client for RHEL 7 for Red Hat Storage Via RHSA-2022:0308 https://access.redhat.com/errata/RHSA-2022:0308
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0577 https://access.redhat.com/errata/RHSA-2022:0577