Bug 2030801 (CVE-2021-44716) - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
Summary: CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-44716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2030803 2013628 2030802 2030804 2031244 2031245 2031246 2031247 2031248 2031249 2031250 2031251 2031252 2031253 2031587 2031588 2031589 2031590 2031591 2031592 2031593 2031594 2032330 2032331 2032332 2032333 2032334 2032335 2032336 2032337 2032338 2032339 2032340 2032341 2032342 2032343 2032344 2032345 2032346 2032347 2032348 2032349 2032350 2032351 2032352 2032353 2032354 2032355 2032356 2032357 2032367 2032368 2032369 2032370 2032371 2032372 2032373 2032374 2032375 2032376 2032377 2032378 2032379 2032380 2032381 2032382 2032383 2032384 2032385 2032386 2032387 2032388 2032389 2032390 2032391 2032392 2032393 2032394 2032395 2032396 2032397 2032398 2033296 2033297 2033298 2033305 2033306 2033831 2033832 2033833 2033834 2033835 2033836 2034445 2034446 2034447 2034448 2034449 2034450 2043455 2043456 2043457 2043458 2043459 2043460 2043461 2043470
Blocks: 2030812
TreeView+ depends on / blocked
 
Reported: 2021-12-09 18:36 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-12-31 04:25 UTC (History)
123 users (show)

Fixed In Version: Go 1.17.5, Go 1.16.12
Doc Type: If docs needed, set a value
Doc Text:
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.
Clone Of:
Environment:
Last Closed: 2022-05-11 22:16:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:5172 0 None None None 2021-12-15 19:39:37 UTC
Red Hat Product Errata RHBA-2021:5196 0 None None None 2021-12-16 18:38:37 UTC
Red Hat Product Errata RHSA-2021:5160 0 None None None 2021-12-15 16:28:19 UTC
Red Hat Product Errata RHSA-2021:5176 0 None None None 2021-12-16 10:52:09 UTC
Red Hat Product Errata RHSA-2022:0001 0 None None None 2022-01-03 07:50:37 UTC
Red Hat Product Errata RHSA-2022:0002 0 None None None 2022-01-03 07:50:04 UTC
Red Hat Product Errata RHSA-2022:0055 0 None None None 2022-03-10 13:16:08 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:02:09 UTC
Red Hat Product Errata RHSA-2022:0163 0 None None None 2022-01-18 15:07:44 UTC
Red Hat Product Errata RHSA-2022:0237 0 None None None 2022-01-24 13:51:33 UTC
Red Hat Product Errata RHSA-2022:0260 0 None None None 2022-01-25 13:54:05 UTC
Red Hat Product Errata RHSA-2022:0585 0 None None None 2022-02-21 13:50:41 UTC
Red Hat Product Errata RHSA-2022:0587 0 None None None 2022-02-21 16:30:18 UTC
Red Hat Product Errata RHSA-2022:0842 0 None None None 2022-03-14 09:21:40 UTC
Red Hat Product Errata RHSA-2022:0855 0 None None None 2022-03-14 10:24:43 UTC
Red Hat Product Errata RHSA-2022:0927 0 None None None 2022-03-21 12:05:44 UTC
Red Hat Product Errata RHSA-2022:0947 0 None None None 2022-03-16 15:50:31 UTC
Red Hat Product Errata RHSA-2022:1051 0 None None None 2022-03-24 15:02:40 UTC
Red Hat Product Errata RHSA-2022:1056 0 None None None 2022-03-24 15:19:45 UTC
Red Hat Product Errata RHSA-2022:1361 0 None None None 2022-04-13 15:31:26 UTC
Red Hat Product Errata RHSA-2022:1372 0 None None None 2022-04-13 18:49:32 UTC
Red Hat Product Errata RHSA-2022:1628 0 None None None 2022-04-27 10:44:18 UTC
Red Hat Product Errata RHSA-2022:1734 0 None None None 2022-05-05 13:49:43 UTC
Red Hat Product Errata RHSA-2022:6526 0 None None None 2022-09-14 19:27:24 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:48:50 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:34:27 UTC

Description Guilherme de Almeida Suckevicz 2021-12-09 18:36:56 UTC 
An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.

Reference:
https://github.com/golang/go/issues/50058
Comment 1 Guilherme de Almeida Suckevicz 2021-12-09 18:37:31 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2030802]
Affects: fedora-all [bug 2030804]
Affects: openstack-rdo [bug 2030803]
Comment 2 Summer Long 2021-12-10 04:11:14 UTC 
upstream commits: 
HTTP2: https://go-review.googlesource.com/c/net/+/369794/
1.16: https://go-review.googlesource.com/c/go/+/370575/
1.17: https://go-review.googlesource.com/c/go/+/370574/
Comment 16 errata-xmlrpc 2021-12-15 16:28:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5160 https://access.redhat.com/errata/RHSA-2021:5160
Comment 18 errata-xmlrpc 2021-12-16 10:52:05 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:5176 https://access.redhat.com/errata/RHSA-2021:5176
Comment 25 errata-xmlrpc 2022-01-03 07:49:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0002 https://access.redhat.com/errata/RHSA-2022:0002
Comment 26 errata-xmlrpc 2022-01-03 07:50:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0001 https://access.redhat.com/errata/RHSA-2022:0001
Comment 31 errata-xmlrpc 2022-01-18 15:07:40 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2022:0163 https://access.redhat.com/errata/RHSA-2022:0163
Comment 34 errata-xmlrpc 2022-01-24 13:51:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0237 https://access.redhat.com/errata/RHSA-2022:0237
Comment 35 errata-xmlrpc 2022-01-25 13:53:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2022:0260 https://access.redhat.com/errata/RHSA-2022:0260
Comment 40 errata-xmlrpc 2022-02-21 13:50:36 UTC 
This issue has been addressed in the following products:

  Service Telemetry Framework 1.4 for RHEL 8

Via RHSA-2022:0585 https://access.redhat.com/errata/RHSA-2022:0585
Comment 41 errata-xmlrpc 2022-02-21 16:30:12 UTC 
This issue has been addressed in the following products:

  Service Telemetry Framework 1.3 for RHEL 8

Via RHSA-2022:0587 https://access.redhat.com/errata/RHSA-2022:0587
Comment 45 errata-xmlrpc 2022-03-10 13:16:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0055 https://access.redhat.com/errata/RHSA-2022:0055
Comment 48 errata-xmlrpc 2022-03-10 16:02:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0056 https://access.redhat.com/errata/RHSA-2022:0056
Comment 50 errata-xmlrpc 2022-03-14 09:21:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2022:0842 https://access.redhat.com/errata/RHSA-2022:0842
Comment 51 errata-xmlrpc 2022-03-14 10:24:36 UTC 
This issue has been addressed in the following products:

  OSE-OSC-1.2.0-RHEL-8

Via RHSA-2022:0855 https://access.redhat.com/errata/RHSA-2022:0855
Comment 52 errata-xmlrpc 2022-03-16 15:50:24 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:0947 https://access.redhat.com/errata/RHSA-2022:0947
Comment 53 errata-xmlrpc 2022-03-21 12:05:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0927 https://access.redhat.com/errata/RHSA-2022:0927
Comment 54 errata-xmlrpc 2022-03-24 15:02:33 UTC 
This issue has been addressed in the following products:

  Openshift Serveless 1.21

Via RHSA-2022:1051 https://access.redhat.com/errata/RHSA-2022:1051
Comment 55 errata-xmlrpc 2022-03-24 15:19:39 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:1056 https://access.redhat.com/errata/RHSA-2022:1056
Comment 58 errata-xmlrpc 2022-04-13 15:31:20 UTC 
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1361 https://access.redhat.com/errata/RHSA-2022:1361
Comment 59 errata-xmlrpc 2022-04-13 18:49:27 UTC 
This issue has been addressed in the following products:

  RHODF-4.10-RHEL-8

Via RHSA-2022:1372 https://access.redhat.com/errata/RHSA-2022:1372
Comment 61 errata-xmlrpc 2022-04-27 10:44:11 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2022:1628 https://access.redhat.com/errata/RHSA-2022:1628
Comment 62 errata-xmlrpc 2022-05-05 13:49:37 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:1734 https://access.redhat.com/errata/RHSA-2022:1734
Comment 64 Product Security DevOps Team 2022-05-11 22:16:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-44716
Comment 65 errata-xmlrpc 2022-09-14 19:27:17 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.11

Via RHSA-2022:6526 https://access.redhat.com/errata/RHSA-2022:6526
Comment 66 errata-xmlrpc 2023-01-24 12:48:44 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407
Comment 67 errata-xmlrpc 2023-01-24 13:34:19 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408
Comment 69 Red Hat Bugzilla 2023-12-31 04:25:09 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Note You need to log in before you can comment on or make changes to this bug.