Bug 2030801 (CVE-2021-44716) - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache [NEEDINFO]
Summary: CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-44716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2030803 2032330 2032331 2032349 2032350 2032351 2032352 2032353 2032354 2032355 2032367 2032368 2032369 2032370 2032376 2032377 2032380 2032382 2032383 2032384 2032385 2032393 2032394 2032395 2032396 2032397 2032398 2033296 2013628 2030802 2030804 2031244 2031245 2031246 2031247 2031248 2031249 2031250 2031251 2031252 2031253 2031587 2031588 2031589 2031590 2031591 2031592 2031593 2031594 2032332 2032333 2032334 2032335 2032336 2032337 2032338 2032339 2032340 2032341 2032342 2032343 2032344 2032345 2032346 2032347 2032348 2032356 2032357 2032371 2032372 2032373 2032374 2032375 2032378 2032379 2032381 2032386 2032387 2032388 2032389 2032390 2032391 2032392 2033297 2033298 2033305 2033306 2033831 2033832 2033833 2033834 2033835 2033836 2034445 2034446 2034447 2034448 2034449 2034450 2043455 2043456 2043457 2043458 2043459 2043460 2043461 2043470
Blocks: 2030812
TreeView+ depends on / blocked
 
Reported: 2021-12-09 18:36 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-05-17 09:56 UTC (History)
123 users (show)

Fixed In Version: Go 1.17.5, Go 1.16.12
Doc Type: If docs needed, set a value
Doc Text:
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.
Clone Of:
Environment:
Last Closed: 2022-05-11 22:16:48 UTC
tcullum: needinfo? (shaising)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:5172 0 None None None 2021-12-15 19:39:37 UTC
Red Hat Product Errata RHBA-2021:5196 0 None None None 2021-12-16 18:38:37 UTC
Red Hat Product Errata RHSA-2021:5160 0 None None None 2021-12-15 16:28:19 UTC
Red Hat Product Errata RHSA-2021:5176 0 None None None 2021-12-16 10:52:09 UTC
Red Hat Product Errata RHSA-2022:0001 0 None None None 2022-01-03 07:50:37 UTC
Red Hat Product Errata RHSA-2022:0002 0 None None None 2022-01-03 07:50:04 UTC
Red Hat Product Errata RHSA-2022:0055 0 None None None 2022-03-10 13:16:08 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:02:09 UTC
Red Hat Product Errata RHSA-2022:0163 0 None None None 2022-01-18 15:07:44 UTC
Red Hat Product Errata RHSA-2022:0237 0 None None None 2022-01-24 13:51:33 UTC
Red Hat Product Errata RHSA-2022:0260 0 None None None 2022-01-25 13:54:05 UTC
Red Hat Product Errata RHSA-2022:0585 0 None None None 2022-02-21 13:50:41 UTC
Red Hat Product Errata RHSA-2022:0587 0 None None None 2022-02-21 16:30:18 UTC
Red Hat Product Errata RHSA-2022:0842 0 None None None 2022-03-14 09:21:40 UTC
Red Hat Product Errata RHSA-2022:0855 0 None None None 2022-03-14 10:24:43 UTC
Red Hat Product Errata RHSA-2022:0927 0 None None None 2022-03-21 12:05:44 UTC
Red Hat Product Errata RHSA-2022:0947 0 None None None 2022-03-16 15:50:31 UTC
Red Hat Product Errata RHSA-2022:1051 0 None None None 2022-03-24 15:02:40 UTC
Red Hat Product Errata RHSA-2022:1056 0 None None None 2022-03-24 15:19:45 UTC
Red Hat Product Errata RHSA-2022:1361 0 None None None 2022-04-13 15:31:26 UTC
Red Hat Product Errata RHSA-2022:1372 0 None None None 2022-04-13 18:49:32 UTC
Red Hat Product Errata RHSA-2022:1628 0 None None None 2022-04-27 10:44:18 UTC
Red Hat Product Errata RHSA-2022:1734 0 None None None 2022-05-05 13:49:43 UTC

Description Guilherme de Almeida Suckevicz 2021-12-09 18:36:56 UTC
An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.

Reference:
https://github.com/golang/go/issues/50058

Comment 1 Guilherme de Almeida Suckevicz 2021-12-09 18:37:31 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2030802]
Affects: fedora-all [bug 2030804]
Affects: openstack-rdo [bug 2030803]

Comment 16 errata-xmlrpc 2021-12-15 16:28:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5160 https://access.redhat.com/errata/RHSA-2021:5160

Comment 18 errata-xmlrpc 2021-12-16 10:52:05 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:5176 https://access.redhat.com/errata/RHSA-2021:5176

Comment 25 errata-xmlrpc 2022-01-03 07:49:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0002 https://access.redhat.com/errata/RHSA-2022:0002

Comment 26 errata-xmlrpc 2022-01-03 07:50:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0001 https://access.redhat.com/errata/RHSA-2022:0001

Comment 31 errata-xmlrpc 2022-01-18 15:07:40 UTC
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2022:0163 https://access.redhat.com/errata/RHSA-2022:0163

Comment 34 errata-xmlrpc 2022-01-24 13:51:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0237 https://access.redhat.com/errata/RHSA-2022:0237

Comment 35 errata-xmlrpc 2022-01-25 13:53:59 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0260 https://access.redhat.com/errata/RHSA-2022:0260

Comment 40 errata-xmlrpc 2022-02-21 13:50:36 UTC
This issue has been addressed in the following products:

  Service Telemetry Framework 1.4 for RHEL 8

Via RHSA-2022:0585 https://access.redhat.com/errata/RHSA-2022:0585

Comment 41 errata-xmlrpc 2022-02-21 16:30:12 UTC
This issue has been addressed in the following products:

  Service Telemetry Framework 1.3 for RHEL 8

Via RHSA-2022:0587 https://access.redhat.com/errata/RHSA-2022:0587

Comment 45 errata-xmlrpc 2022-03-10 13:16:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0055 https://access.redhat.com/errata/RHSA-2022:0055

Comment 48 errata-xmlrpc 2022-03-10 16:02:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0056 https://access.redhat.com/errata/RHSA-2022:0056

Comment 50 errata-xmlrpc 2022-03-14 09:21:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0842 https://access.redhat.com/errata/RHSA-2022:0842

Comment 51 errata-xmlrpc 2022-03-14 10:24:36 UTC
This issue has been addressed in the following products:

  OSE-OSC-1.2.0-RHEL-8

Via RHSA-2022:0855 https://access.redhat.com/errata/RHSA-2022:0855

Comment 52 errata-xmlrpc 2022-03-16 15:50:24 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947

Comment 53 errata-xmlrpc 2022-03-21 12:05:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0927 https://access.redhat.com/errata/RHSA-2022:0927

Comment 54 errata-xmlrpc 2022-03-24 15:02:33 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.21

Via RHSA-2022:1051 https://access.redhat.com/errata/RHSA-2022:1051

Comment 55 errata-xmlrpc 2022-03-24 15:19:39 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:1056 https://access.redhat.com/errata/RHSA-2022:1056

Comment 58 errata-xmlrpc 2022-04-13 15:31:20 UTC
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1361 https://access.redhat.com/errata/RHSA-2022:1361

Comment 59 errata-xmlrpc 2022-04-13 18:49:27 UTC
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372

Comment 61 errata-xmlrpc 2022-04-27 10:44:11 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2022:1628 https://access.redhat.com/errata/RHSA-2022:1628

Comment 62 errata-xmlrpc 2022-05-05 13:49:37 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:1734 https://access.redhat.com/errata/RHSA-2022:1734

Comment 64 Product Security DevOps Team 2022-05-11 22:16:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-44716


Note You need to log in before you can comment on or make changes to this bug.