Bug 2107383 (CVE-2022-32148) - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working
Summary: CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-32148
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat2118640 Red Hat2119860 Red Hat2120621 Red Hat2120622 Red Hat2134423 2107384 Red Hat2109914 Red Hat2109915 Red Hat2109916 Red Hat2109917 Red Hat2110276 2110286 Engineering2111001 Red Hat2111496 Red Hat2111746 Red Hat2111747 Red Hat2111752 Red Hat2111753 Red Hat2111758 Red Hat2111759 Red Hat2111760 Red Hat2111765 Red Hat2111766 Red Hat2111767 Red Hat2111782 Red Hat2111783 Red Hat2111786 Red Hat2111796 Red Hat2111797 Red Hat2111798 Red Hat2111805 Red Hat2111806 Red Hat2111807 Red Hat2111808 Red Hat2111816 Red Hat2111821 Red Hat2111822 Red Hat2111823 Red Hat2112009 Red Hat2112010 Red Hat2118635 Red Hat2118636 Red Hat2118637 Red Hat2118638 Red Hat2119857 Red Hat2119858 Red Hat2119859 Red Hat2119861 Engineering2123509 Engineering2123510 Engineering2123514 Engineering2123748 Engineering2123750 Engineering2123754 Red Hat2134424
Blocks: Embargoed2108714
TreeView+ depends on / blocked
 
Reported: 2022-07-14 21:21 UTC by Anten Skrabec
Modified: 2023-05-17 00:33 UTC (History)
215 users (show)

Fixed In Version: golang 1.18.4, golang 1.17.12
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in net/http/httputil golang package. When httputil.ReverseProxy.ServeHTTP is called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy could set the client IP incorrectly. This issue may affect confidentiality.
Clone Of:
Environment:
Last Closed: 2023-05-17 00:33:41 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5800 0 None None None 2022-08-01 15:59:49 UTC
Red Hat Product Errata RHBA-2022:6131 0 None None None 2022-08-22 19:36:27 UTC
Red Hat Product Errata RHSA-2022:5775 0 None None None 2022-08-01 12:04:34 UTC
Red Hat Product Errata RHSA-2022:5799 0 None None None 2022-08-01 16:04:37 UTC
Red Hat Product Errata RHSA-2022:5866 0 None None None 2022-08-02 09:54:04 UTC
Red Hat Product Errata RHSA-2022:6040 0 None None None 2022-08-10 13:16:54 UTC
Red Hat Product Errata RHSA-2022:6042 0 None None None 2022-08-10 11:37:55 UTC
Red Hat Product Errata RHSA-2022:6113 0 None None None 2022-08-18 15:11:23 UTC
Red Hat Product Errata RHSA-2022:6152 0 None None None 2022-09-01 05:41:48 UTC
Red Hat Product Errata RHSA-2022:6183 0 None None None 2022-09-06 13:33:09 UTC
Red Hat Product Errata RHSA-2022:6188 0 None None None 2022-08-25 11:21:48 UTC
Red Hat Product Errata RHSA-2022:6344 0 None None None 2022-09-06 17:01:17 UTC
Red Hat Product Errata RHSA-2022:6345 0 None None None 2022-09-06 14:35:06 UTC
Red Hat Product Errata RHSA-2022:6346 0 None None None 2022-09-06 13:03:32 UTC
Red Hat Product Errata RHSA-2022:6347 0 None None None 2022-09-06 12:59:26 UTC
Red Hat Product Errata RHSA-2022:6348 0 None None None 2022-09-06 13:43:42 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:30:24 UTC
Red Hat Product Errata RHSA-2022:6430 0 None None None 2022-09-13 02:10:49 UTC
Red Hat Product Errata RHSA-2022:7129 0 None None None 2022-10-25 09:31:11 UTC
Red Hat Product Errata RHSA-2022:7398 0 None None None 2023-01-17 14:51:13 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:37:17 UTC
Red Hat Product Errata RHSA-2022:7519 0 None None None 2022-11-08 09:24:38 UTC
Red Hat Product Errata RHSA-2022:7529 0 None None None 2022-11-08 09:29:19 UTC
Red Hat Product Errata RHSA-2022:7648 0 None None None 2022-11-08 10:00:48 UTC
Red Hat Product Errata RHSA-2022:8057 0 None None None 2022-11-15 10:07:25 UTC
Red Hat Product Errata RHSA-2022:8250 0 None None None 2022-11-15 10:44:13 UTC
Red Hat Product Errata RHSA-2022:8626 0 None None None 2022-11-28 20:43:50 UTC
Red Hat Product Errata RHSA-2022:9047 0 None None None 2022-12-15 01:58:14 UTC
Red Hat Product Errata RHSA-2023:0407 0 None None None 2023-01-24 12:49:47 UTC
Red Hat Product Errata RHSA-2023:0408 0 None None None 2023-01-24 13:35:32 UTC
Red Hat Product Errata RHSA-2023:1042 0 None None None 2023-03-06 18:39:51 UTC
Red Hat Product Errata RHSA-2023:1275 0 None None None 2023-03-15 19:55:43 UTC
Red Hat Product Errata RHSA-2023:2357 0 None None None 2023-05-09 07:34:54 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:09:09 UTC
Red Hat Product Errata RHSA-2023:2802 0 None None None 2023-05-16 08:13:49 UTC

Description Anten Skrabec 2022-07-14 21:21:24 UTC
When httputil.ReverseProxy.ServeHTTP was called with a Request.Header map containing a nil value for the X-Forwarded-For header, ReverseProxy would set the client IP as the value of the X-Forwarded-For header, contrary to its documentation. In the more usual case where a Director function set the X-Forwarded-For header value to nil, ReverseProxy would leave the header unmodified as expected.

Comment 1 Anten Skrabec 2022-07-14 21:21:39 UTC
Created golang tracking bugs for this issue:

Affects: fedora-all [bug 2107384]

Comment 6 Avinash Hanwate 2022-07-25 06:41:47 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2110286]

Comment 24 errata-xmlrpc 2022-08-01 12:04:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5775 https://access.redhat.com/errata/RHSA-2022:5775

Comment 25 errata-xmlrpc 2022-08-01 16:04:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5799 https://access.redhat.com/errata/RHSA-2022:5799

Comment 26 errata-xmlrpc 2022-08-02 09:53:53 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2022:5866 https://access.redhat.com/errata/RHSA-2022:5866

Comment 27 errata-xmlrpc 2022-08-10 11:37:46 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2022:6042 https://access.redhat.com/errata/RHSA-2022:6042

Comment 28 errata-xmlrpc 2022-08-10 13:16:43 UTC
This issue has been addressed in the following products:

  Openshift Serveless 1.24

Via RHSA-2022:6040 https://access.redhat.com/errata/RHSA-2022:6040

Comment 32 errata-xmlrpc 2022-08-18 15:11:15 UTC
This issue has been addressed in the following products:

  Application Interconnect 1 for RHEL 8

Via RHSA-2022:6113 https://access.redhat.com/errata/RHSA-2022:6113

Comment 35 errata-xmlrpc 2022-08-25 11:21:41 UTC
This issue has been addressed in the following products:

  Node Maintenance Operator 4.11 for RHEL 8

Via RHSA-2022:6188 https://access.redhat.com/errata/RHSA-2022:6188

Comment 36 errata-xmlrpc 2022-09-01 05:41:37 UTC
This issue has been addressed in the following products:

  OSSO-1.1-RHEL-8

Via RHSA-2022:6152 https://access.redhat.com/errata/RHSA-2022:6152

Comment 37 errata-xmlrpc 2022-09-06 12:59:14 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6347 https://access.redhat.com/errata/RHSA-2022:6347

Comment 38 errata-xmlrpc 2022-09-06 13:03:20 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6346 https://access.redhat.com/errata/RHSA-2022:6346

Comment 39 errata-xmlrpc 2022-09-06 13:32:58 UTC
This issue has been addressed in the following products:

  Logging subsystem for Red Hat OpenShift 5.4

Via RHSA-2022:6183 https://access.redhat.com/errata/RHSA-2022:6183

Comment 40 errata-xmlrpc 2022-09-06 13:43:30 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6348 https://access.redhat.com/errata/RHSA-2022:6348

Comment 41 errata-xmlrpc 2022-09-06 14:34:54 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345

Comment 42 errata-xmlrpc 2022-09-06 17:01:06 UTC
This issue has been addressed in the following products:

  RHOL-5.5-RHEL-8

Via RHSA-2022:6344 https://access.redhat.com/errata/RHSA-2022:6344

Comment 43 errata-xmlrpc 2022-09-06 22:30:16 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370

Comment 44 errata-xmlrpc 2022-09-13 02:10:41 UTC
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:6430 https://access.redhat.com/errata/RHSA-2022:6430

Comment 48 errata-xmlrpc 2022-10-25 09:31:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7129 https://access.redhat.com/errata/RHSA-2022:7129

Comment 52 errata-xmlrpc 2022-11-08 09:24:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7519 https://access.redhat.com/errata/RHSA-2022:7519

Comment 53 errata-xmlrpc 2022-11-08 09:29:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7529 https://access.redhat.com/errata/RHSA-2022:7529

Comment 54 errata-xmlrpc 2022-11-08 10:00:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7648 https://access.redhat.com/errata/RHSA-2022:7648

Comment 55 errata-xmlrpc 2022-11-15 10:07:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8057 https://access.redhat.com/errata/RHSA-2022:8057

Comment 56 errata-xmlrpc 2022-11-15 10:44:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8250 https://access.redhat.com/errata/RHSA-2022:8250

Comment 61 errata-xmlrpc 2022-11-28 20:43:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11
  Ironic content for Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:8626 https://access.redhat.com/errata/RHSA-2022:8626

Comment 63 errata-xmlrpc 2022-12-15 01:58:05 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:9047 https://access.redhat.com/errata/RHSA-2022:9047

Comment 83 errata-xmlrpc 2023-01-17 14:51:06 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7398 https://access.redhat.com/errata/RHSA-2022:7398

Comment 84 errata-xmlrpc 2023-01-17 19:37:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2022:7399 https://access.redhat.com/errata/RHSA-2022:7399

Comment 85 errata-xmlrpc 2023-01-24 12:49:38 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12
  RHEL-7-CNV-4.12

Via RHSA-2023:0407 https://access.redhat.com/errata/RHSA-2023:0407

Comment 86 errata-xmlrpc 2023-01-24 13:35:25 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-4.12

Via RHSA-2023:0408 https://access.redhat.com/errata/RHSA-2023:0408

Comment 96 errata-xmlrpc 2023-03-06 18:39:44 UTC
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2023:1042 https://access.redhat.com/errata/RHSA-2023:1042

Comment 99 errata-xmlrpc 2023-03-15 19:55:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275

Comment 101 errata-xmlrpc 2023-05-09 07:34:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2357 https://access.redhat.com/errata/RHSA-2023:2357

Comment 103 errata-xmlrpc 2023-05-16 08:08:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2758 https://access.redhat.com/errata/RHSA-2023:2758

Comment 104 errata-xmlrpc 2023-05-16 08:13:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:2802 https://access.redhat.com/errata/RHSA-2023:2802

Comment 106 Product Security DevOps Team 2023-05-17 00:33:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32148


Note You need to log in before you can comment on or make changes to this bug.