Bug 2124669 (CVE-2022-27664) - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
Summary: CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-27664
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2126643 2127944 2134425 2125779 2126630 2126631 2126633 2126634 2126635 2126636 2126637 2126638 2126639 2126641 2126642 2126644 2126645 2126646 2126733 2126734 2126735 2126739 2126740 2126741 2126742 2126743 2126744 2126745 2126746 2126747 2126748 2126749 2126750 2126751 2126752 2126753 2126754 2126755 2126756 2126757 2126758 2126759 2126760 2126761 2126762 2126763 2126764 2126765 2126766 2126767 2126768 2126769 2126770 2126771 2126772 2126773 2127945 2134426 2168805
Blocks: 2124673
TreeView+ depends on / blocked
 
Reported: 2022-09-06 18:05 UTC by TEJ RATHI
Modified: 2023-09-01 03:57 UTC (History)
129 users (show)

Fixed In Version: golang 1.19.1, golang 1.18.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the golang package. In net/http in Go, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if a fatal error preempts the shutdown.
Clone Of:
Environment:
Last Closed: 2023-05-18 19:41:19 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7129 0 None None None 2022-10-25 09:31:02 UTC
Red Hat Product Errata RHSA-2022:7398 0 None None None 2023-01-17 14:51:34 UTC
Red Hat Product Errata RHSA-2022:8535 0 None None None 2022-11-24 04:14:15 UTC
Red Hat Product Errata RHSA-2022:8626 0 None None None 2022-11-28 20:44:00 UTC
Red Hat Product Errata RHSA-2022:8634 0 None None None 2022-11-28 02:52:05 UTC
Red Hat Product Errata RHSA-2022:8781 0 None None None 2022-12-08 07:37:45 UTC
Red Hat Product Errata RHSA-2023:0264 0 None None None 2023-01-19 11:04:27 UTC
Red Hat Product Errata RHSA-2023:0542 0 None None None 2023-01-30 17:20:54 UTC
Red Hat Product Errata RHSA-2023:0584 0 None None None 2023-05-18 14:27:48 UTC
Red Hat Product Errata RHSA-2023:0631 0 None None None 2023-02-07 17:24:17 UTC
Red Hat Product Errata RHSA-2023:0693 0 None None None 2023-02-09 02:17:54 UTC
Red Hat Product Errata RHSA-2023:0708 0 None None None 2023-02-09 09:26:12 UTC
Red Hat Product Errata RHSA-2023:0709 0 None None None 2023-02-09 12:05:29 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:40:48 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:56:02 UTC
Red Hat Product Errata RHSA-2023:1529 0 None None None 2023-03-30 00:43:53 UTC
Red Hat Product Errata RHSA-2023:2167 0 None None None 2023-05-09 07:13:43 UTC
Red Hat Product Errata RHSA-2023:2177 0 None None None 2023-05-09 07:14:01 UTC
Red Hat Product Errata RHSA-2023:2193 0 None None None 2023-05-09 07:15:59 UTC
Red Hat Product Errata RHSA-2023:2204 0 None None None 2023-05-09 07:17:38 UTC
Red Hat Product Errata RHSA-2023:2236 0 None None None 2023-05-09 07:20:41 UTC
Red Hat Product Errata RHSA-2023:2357 0 None None None 2023-05-09 07:35:20 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:09:45 UTC
Red Hat Product Errata RHSA-2023:2780 0 None None None 2023-05-16 08:11:45 UTC
Red Hat Product Errata RHSA-2023:2784 0 None None None 2023-05-16 08:12:09 UTC
Red Hat Product Errata RHSA-2023:2785 0 None None None 2023-05-16 08:12:29 UTC
Red Hat Product Errata RHSA-2023:2802 0 None None None 2023-05-16 08:14:31 UTC
Red Hat Product Errata RHSA-2023:3204 0 None None None 2023-05-18 00:36:28 UTC
Red Hat Product Errata RHSA-2023:3205 0 None None None 2023-05-18 02:55:19 UTC
Red Hat Product Errata RHSA-2023:3613 0 None None None 2023-06-26 01:16:00 UTC
Red Hat Product Errata RHSA-2023:3642 0 None None None 2023-06-15 16:00:58 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:51:55 UTC
Red Hat Product Errata RHSA-2023:4674 0 None None None 2023-08-23 16:42:46 UTC
Red Hat Product Errata RHSA-2023:4734 0 None None None 2023-08-30 19:56:29 UTC

Description TEJ RATHI 2022-09-06 18:05:27 UTC 
A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

References:
https://go.dev/issue/54658
https://groups.google.com/g/golang-announce/c/x49AQzIVX-s/m/0tgO0pjiBQAJ

Upstream Commits:
Master: https://github.com/golang/go/commit/29af494fca8a25d7d46276f6d4835c4dcd09e47d
Branch.go1.18 : https://github.com/golang/go/commit/5bc9106458fc07851ac324a4157132a91b1f3479
Branch.go1.19 : https://github.com/golang/go/commit/9cfe4e258b1c9d4a04a42539c21c7bdb2e227824
Comment 2 Avinash Hanwate 2022-09-14 07:51:39 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2126630]
Affects: fedora-all [bug 2126631]
Comment 9 errata-xmlrpc 2022-10-25 09:30:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129
Comment 16 errata-xmlrpc 2022-11-24 04:14:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8535 https://access.redhat.com/errata/RHSA-2022:8535
Comment 17 errata-xmlrpc 2022-11-28 02:51:58 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2022:8634 https://access.redhat.com/errata/RHSA-2022:8634
Comment 19 errata-xmlrpc 2022-11-28 20:43:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8626 https://access.redhat.com/errata/RHSA-2022:8626
Comment 20 errata-xmlrpc 2022-12-08 07:37:38 UTC 
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:8781 https://access.redhat.com/errata/RHSA-2022:8781
Comment 39 errata-xmlrpc 2023-01-17 14:51:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398
Comment 40 errata-xmlrpc 2023-01-19 11:04:21 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2023:0264 https://access.redhat.com/errata/RHSA-2023:0264
Comment 41 errata-xmlrpc 2023-01-30 17:20:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542
Comment 49 errata-xmlrpc 2023-02-07 17:24:12 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2023:0631 https://access.redhat.com/errata/RHSA-2023:0631
Comment 51 errata-xmlrpc 2023-02-09 02:17:46 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:0693 https://access.redhat.com/errata/RHSA-2023:0693
Comment 52 errata-xmlrpc 2023-02-09 09:26:05 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:0708 https://access.redhat.com/errata/RHSA-2023:0708
Comment 53 errata-xmlrpc 2023-02-09 12:05:22 UTC 
This issue has been addressed in the following products:

  RHOSS-1.27-RHEL-8

Via RHSA-2023:0709 https://access.redhat.com/errata/RHSA-2023:0709
Comment 58 errata-xmlrpc 2023-03-06 18:40:41 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042
Comment 61 errata-xmlrpc 2023-03-15 19:55:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 62 errata-xmlrpc 2023-03-30 00:43:46 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2023:1529 https://access.redhat.com/errata/RHSA-2023:1529
Comment 66 errata-xmlrpc 2023-05-09 07:13:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2167 https://access.redhat.com/errata/RHSA-2023:2167
Comment 67 errata-xmlrpc 2023-05-09 07:13:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2177 https://access.redhat.com/errata/RHSA-2023:2177
Comment 68 errata-xmlrpc 2023-05-09 07:15:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2193 https://access.redhat.com/errata/RHSA-2023:2193
Comment 69 errata-xmlrpc 2023-05-09 07:17:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2204 https://access.redhat.com/errata/RHSA-2023:2204
Comment 70 errata-xmlrpc 2023-05-09 07:20:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2236 https://access.redhat.com/errata/RHSA-2023:2236
Comment 71 errata-xmlrpc 2023-05-09 07:35:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357
Comment 74 errata-xmlrpc 2023-05-16 08:09:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758
Comment 75 errata-xmlrpc 2023-05-16 08:11:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2780 https://access.redhat.com/errata/RHSA-2023:2780
Comment 76 errata-xmlrpc 2023-05-16 08:12:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2784 https://access.redhat.com/errata/RHSA-2023:2784
Comment 77 errata-xmlrpc 2023-05-16 08:12:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2785 https://access.redhat.com/errata/RHSA-2023:2785
Comment 78 errata-xmlrpc 2023-05-16 08:14:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802
Comment 80 errata-xmlrpc 2023-05-18 00:36:23 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13
  RHEL-7-CNV-4.13
  RHEL-8-CNV-4.13

Via RHSA-2023:3204 https://access.redhat.com/errata/RHSA-2023:3204
Comment 81 errata-xmlrpc 2023-05-18 02:55:12 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.13

Via RHSA-2023:3205 https://access.redhat.com/errata/RHSA-2023:3205
Comment 82 errata-xmlrpc 2023-05-18 14:27:40 UTC 
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2023:0584 https://access.redhat.com/errata/RHSA-2023:0584
Comment 83 Product Security DevOps Team 2023-05-18 19:41:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-27664
Comment 84 errata-xmlrpc 2023-06-15 16:00:49 UTC 
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3642 https://access.redhat.com/errata/RHSA-2023:3642
Comment 85 errata-xmlrpc 2023-06-22 19:51:46 UTC 
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742
Comment 86 errata-xmlrpc 2023-06-26 01:15:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:3613 https://access.redhat.com/errata/RHSA-2023:3613
Comment 88 errata-xmlrpc 2023-08-23 16:42:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:4674 https://access.redhat.com/errata/RHSA-2023:4674
Comment 89 errata-xmlrpc 2023-08-30 19:56:20 UTC 
This issue has been addressed in the following products:

  Ironic content for Red Hat OpenShift Container Platform 4.13
  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4734 https://access.redhat.com/errata/RHSA-2023:4734
Note You need to log in before you can comment on or make changes to this bug.