Bug 2162182 (CVE-2022-41721) - CVE-2022-41721 x/net/http2/h2c: request smuggling
Summary: CVE-2022-41721 x/net/http2/h2c: request smuggling
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-41721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2162188 2162184 2162185 2162186 2162187 2163124 2163125 2232267 2232706 2232707
Blocks: 2161236
TreeView+ depends on / blocked
 
Reported: 2023-01-19 03:52 UTC by Anten Skrabec
Modified: 2023-10-04 13:07 UTC (History)
20 users (show)

Fixed In Version: golang.org/x/net 0.1.1-0.20221104162952-702349b0e862
Doc Type: ---
Doc Text:
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead read the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.
Clone Of:
Environment:
Last Closed: 2023-05-18 04:44:48 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:31:21 UTC
Red Hat Product Errata RHSA-2023:4627 0 None None None 2023-08-14 01:02:32 UTC
Red Hat Product Errata RHSA-2023:5421 0 None None None 2023-10-03 18:50:03 UTC
Red Hat Product Errata RHSA-2023:5442 0 None None None 2023-10-04 13:07:48 UTC

Description Anten Skrabec 2023-01-19 03:52:13 UTC
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Comment 1 Anten Skrabec 2023-01-19 03:53:13 UTC
Created caddy tracking bugs for this issue:

Affects: fedora-36 [bug 2162187]


Created golang-github-deepmap-oapi-codegen tracking bugs for this issue:

Affects: fedora-all [bug 2162185]


Created golang-x-net tracking bugs for this issue:

Affects: epel-8 [bug 2162188]
Affects: fedora-36 [bug 2162186]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2162184]

Comment 11 errata-xmlrpc 2023-05-17 22:31:19 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326

Comment 12 Product Security DevOps Team 2023-05-18 04:44:45 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41721

Comment 13 errata-xmlrpc 2023-08-14 01:02:30 UTC
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627

Comment 14 errata-xmlrpc 2023-10-03 18:50:01 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.3 for RHEL 8

Via RHSA-2023:5421 https://access.redhat.com/errata/RHSA-2023:5421

Comment 15 errata-xmlrpc 2023-10-04 13:07:46 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2023:5442 https://access.redhat.com/errata/RHSA-2023:5442


Note You need to log in before you can comment on or make changes to this bug.