Bug 2253330 (CVE-2023-39326) - CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
Summary: CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resourc...
Keywords:
Status: NEW
Alias: CVE-2023-39326
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On: 2253332 2253333 2253335 2253336 2253337 2253338 2253339 2253340 2253341 2253342 2253343 2253344 2253345 2253346 2253347 2253348 2255162 2255163 2255535 2279583 2280690
Blocks: 2253319
TreeView+ depends on / blocked
 
Reported: 2023-12-06 20:47 UTC by Patrick Del Bello
Modified: 2025-04-18 08:27 UTC (History)
127 users (show)

Fixed In Version: golang 1.20.12, golang 1.21.0-0, golang 1.21.5
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0931 0 None None None 2024-02-21 01:01:01 UTC
Red Hat Product Errata RHBA-2024:0932 0 None None None 2024-02-21 01:01:19 UTC
Red Hat Product Errata RHBA-2024:0933 0 None None None 2024-02-21 01:01:29 UTC
Red Hat Product Errata RHBA-2024:1009 0 None None None 2024-02-27 19:49:36 UTC
Red Hat Product Errata RHBA-2024:1010 0 None None None 2024-02-27 20:48:14 UTC
Red Hat Product Errata RHBA-2024:1011 0 None None None 2024-02-27 21:40:24 UTC
Red Hat Product Errata RHBA-2024:3469 0 None None None 2024-05-29 14:32:52 UTC
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:50:04 UTC
Red Hat Product Errata RHSA-2023:7200 0 None None None 2024-02-27 22:47:13 UTC
Red Hat Product Errata RHSA-2023:7201 0 None None None 2024-02-27 22:29:10 UTC
Red Hat Product Errata RHSA-2024:0269 0 None None None 2024-02-28 00:20:19 UTC
Red Hat Product Errata RHSA-2024:0281 0 None None None 2024-03-06 14:40:14 UTC
Red Hat Product Errata RHSA-2024:0530 0 None None None 2024-01-25 18:10:46 UTC
Red Hat Product Errata RHSA-2024:0694 0 None None None 2024-02-07 18:45:56 UTC
Red Hat Product Errata RHSA-2024:0695 0 None None None 2024-02-07 22:50:35 UTC
Red Hat Product Errata RHSA-2024:0728 0 None None None 2024-02-08 17:27:50 UTC
Red Hat Product Errata RHSA-2024:0748 0 None None None 2024-02-08 18:20:25 UTC
Red Hat Product Errata RHSA-2024:0843 0 None None None 2024-02-15 12:55:40 UTC
Red Hat Product Errata RHSA-2024:0880 0 None None None 2024-02-20 11:03:50 UTC
Red Hat Product Errata RHSA-2024:0887 0 None None None 2024-02-20 12:30:15 UTC
Red Hat Product Errata RHSA-2024:1041 0 None None None 2024-02-29 09:04:04 UTC
Red Hat Product Errata RHSA-2024:1078 0 None None None 2024-03-05 00:34:26 UTC
Red Hat Product Errata RHSA-2024:1131 0 None None None 2024-03-05 18:11:24 UTC
Red Hat Product Errata RHSA-2024:1149 0 None None None 2024-03-05 18:13:09 UTC
Red Hat Product Errata RHSA-2024:1244 0 None None None 2024-03-11 16:04:26 UTC
Red Hat Product Errata RHSA-2024:1434 0 None None None 2024-03-20 07:40:31 UTC
Red Hat Product Errata RHSA-2024:1640 0 None None None 2024-04-02 19:30:18 UTC
Red Hat Product Errata RHSA-2024:1812 0 None None None 2024-04-15 05:44:53 UTC
Red Hat Product Errata RHSA-2024:1859 0 None None None 2024-04-16 17:26:20 UTC
Red Hat Product Errata RHSA-2024:1896 0 None None None 2024-04-25 15:14:56 UTC
Red Hat Product Errata RHSA-2024:1901 0 None None None 2024-04-18 07:18:46 UTC
Red Hat Product Errata RHSA-2024:2160 0 None None None 2024-04-30 09:41:29 UTC
Red Hat Product Errata RHSA-2024:2193 0 None None None 2024-04-30 09:46:54 UTC
Red Hat Product Errata RHSA-2024:2245 0 None None None 2024-04-30 09:55:42 UTC
Red Hat Product Errata RHSA-2024:2272 0 None None None 2024-04-30 09:58:55 UTC
Red Hat Product Errata RHSA-2024:2728 0 None None None 2024-05-29 19:50:31 UTC
Red Hat Product Errata RHSA-2024:2729 0 None None None 2024-05-22 20:38:20 UTC
Red Hat Product Errata RHSA-2024:2730 0 None None None 2024-05-22 20:41:33 UTC
Red Hat Product Errata RHSA-2024:2767 0 None None None 2024-05-22 20:11:34 UTC
Red Hat Product Errata RHSA-2024:2988 0 None None None 2024-05-22 09:28:33 UTC
Red Hat Product Errata RHSA-2024:3316 0 None None None 2024-05-23 06:39:58 UTC
Red Hat Product Errata RHSA-2024:3352 0 None None None 2024-05-23 15:25:16 UTC
Red Hat Product Errata RHSA-2024:3467 0 None None None 2024-05-29 13:31:40 UTC
Red Hat Product Errata RHSA-2024:3479 0 None None None 2024-05-29 21:40:25 UTC
Red Hat Product Errata RHSA-2024:3868 0 None None None 2024-06-17 00:44:03 UTC

Description Patrick Del Bello 2023-12-06 20:47:22 UTC 
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

https://go.dev/cl/547335
https://go.dev/issue/64433
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://pkg.go.dev/vuln/GO-2023-2382
Comment 1 Patrick Del Bello 2023-12-06 20:51:59 UTC 
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2253332]
Affects: fedora-all [bug 2253333]
Comment 9 Debarshi Ray 2024-01-15 22:46:54 UTC 
We are missing the RHEL 9 tracking bug for toolbox, even though the bugs for RHEL 8 are there.
Comment 16 errata-xmlrpc 2024-01-25 18:10:38 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:0530 https://access.redhat.com/errata/RHSA-2024:0530
Comment 20 errata-xmlrpc 2024-02-07 18:45:49 UTC 
This issue has been addressed in the following products:

  RHOL-5.7-RHEL-8

Via RHSA-2024:0694 https://access.redhat.com/errata/RHSA-2024:0694
Comment 21 errata-xmlrpc 2024-02-07 22:50:27 UTC 
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2024:0695 https://access.redhat.com/errata/RHSA-2024:0695
Comment 22 errata-xmlrpc 2024-02-08 17:27:42 UTC 
This issue has been addressed in the following products:

  RHOL-5.8-RHEL-9

Via RHSA-2024:0728 https://access.redhat.com/errata/RHSA-2024:0728
Comment 23 errata-xmlrpc 2024-02-08 18:20:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0748 https://access.redhat.com/errata/RHSA-2024:0748
Comment 24 errata-xmlrpc 2024-02-15 12:55:33 UTC 
This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843
Comment 25 errata-xmlrpc 2024-02-20 11:03:42 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880
Comment 26 errata-xmlrpc 2024-02-20 12:30:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0887 https://access.redhat.com/errata/RHSA-2024:0887
Comment 27 errata-xmlrpc 2024-02-27 20:49:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
Comment 28 errata-xmlrpc 2024-02-27 22:29:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201
Comment 29 errata-xmlrpc 2024-02-27 22:47:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7200 https://access.redhat.com/errata/RHSA-2023:7200
Comment 30 errata-xmlrpc 2024-02-28 00:20:13 UTC 
This issue has been addressed in the following products:

  RODOO-1.1-RHEL-9

Via RHSA-2024:0269 https://access.redhat.com/errata/RHSA-2024:0269
Comment 32 errata-xmlrpc 2024-02-29 09:03:57 UTC 
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2024:1041 https://access.redhat.com/errata/RHSA-2024:1041
Comment 33 errata-xmlrpc 2024-03-05 00:34:19 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2024:1078 https://access.redhat.com/errata/RHSA-2024:1078
Comment 34 errata-xmlrpc 2024-03-05 18:11:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1131 https://access.redhat.com/errata/RHSA-2024:1131
Comment 35 errata-xmlrpc 2024-03-05 18:13:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1149 https://access.redhat.com/errata/RHSA-2024:1149
Comment 36 errata-xmlrpc 2024-03-06 14:40:04 UTC 
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-9

Via RHSA-2024:0281 https://access.redhat.com/errata/RHSA-2024:0281
Comment 37 errata-xmlrpc 2024-03-11 16:04:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1244 https://access.redhat.com/errata/RHSA-2024:1244
Comment 39 errata-xmlrpc 2024-03-20 07:40:24 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.1

Via RHSA-2024:1434 https://access.redhat.com/errata/RHSA-2024:1434
Comment 40 errata-xmlrpc 2024-04-02 19:30:09 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640
Comment 41 errata-xmlrpc 2024-04-15 05:44:43 UTC 
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2024:1812 https://access.redhat.com/errata/RHSA-2024:1812
Comment 42 errata-xmlrpc 2024-04-16 17:26:12 UTC 
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859
Comment 43 errata-xmlrpc 2024-04-18 07:18:39 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901
Comment 44 errata-xmlrpc 2024-04-25 15:14:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1896 https://access.redhat.com/errata/RHSA-2024:1896
Comment 45 errata-xmlrpc 2024-04-30 09:41:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2160 https://access.redhat.com/errata/RHSA-2024:2160
Comment 46 errata-xmlrpc 2024-04-30 09:46:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2193 https://access.redhat.com/errata/RHSA-2024:2193
Comment 47 errata-xmlrpc 2024-04-30 09:55:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2245 https://access.redhat.com/errata/RHSA-2024:2245
Comment 48 errata-xmlrpc 2024-04-30 09:58:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2272 https://access.redhat.com/errata/RHSA-2024:2272
Comment 51 errata-xmlrpc 2024-05-22 09:28:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2988 https://access.redhat.com/errata/RHSA-2024:2988
Comment 52 errata-xmlrpc 2024-05-22 20:11:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 8

Via RHSA-2024:2767 https://access.redhat.com/errata/RHSA-2024:2767
Comment 53 errata-xmlrpc 2024-05-22 20:38:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2729 https://access.redhat.com/errata/RHSA-2024:2729
Comment 54 errata-xmlrpc 2024-05-22 20:41:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2730 https://access.redhat.com/errata/RHSA-2024:2730
Comment 55 errata-xmlrpc 2024-05-23 06:39:46 UTC 
This issue has been addressed in the following products:

  MTA-7.0-RHEL-9
  MTA-7.0-RHEL-8

Via RHSA-2024:3316 https://access.redhat.com/errata/RHSA-2024:3316
Comment 56 errata-xmlrpc 2024-05-23 15:25:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:3352 https://access.redhat.com/errata/RHSA-2024:3352
Comment 58 errata-xmlrpc 2024-05-29 13:31:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2024:3467 https://access.redhat.com/errata/RHSA-2024:3467
Comment 59 errata-xmlrpc 2024-05-29 19:50:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2728 https://access.redhat.com/errata/RHSA-2024:2728
Comment 60 errata-xmlrpc 2024-05-29 21:40:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:3479 https://access.redhat.com/errata/RHSA-2024:3479
Comment 63 errata-xmlrpc 2024-06-17 00:43:53 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868
Note You need to log in before you can comment on or make changes to this bug.