Bug 2253330 (CVE-2023-39326) - CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
Summary: CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resourc...
Keywords:
Status: NEW
Alias: CVE-2023-39326
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On: 2253338 2253339 2253340 2253341 2253342 2253343 2253344 2253345 2253346 2253348 2255162 2255163 2255535 2253332 2253333 2253335 2253336 2253337 2253347
Blocks: 2253319
TreeView+ depends on / blocked
 
Reported: 2023-12-06 20:47 UTC by Patrick Del Bello
Modified: 2024-04-16 17:26 UTC (History)
134 users (show)

Fixed In Version: golang 1.20.12, golang 1.21.0-0, golang 1.21.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Golang net/http/internal package. This issue may allow a malicious user to send an HTTP request and cause the receiver to read more bytes from network than are in the body (up to 1GiB), causing the receiver to fail reading the response, possibly leading to a Denial of Service (DoS).
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0931 0 None None None 2024-02-21 01:01:01 UTC
Red Hat Product Errata RHBA-2024:0932 0 None None None 2024-02-21 01:01:19 UTC
Red Hat Product Errata RHBA-2024:0933 0 None None None 2024-02-21 01:01:29 UTC
Red Hat Product Errata RHBA-2024:1009 0 None None None 2024-02-27 19:49:36 UTC
Red Hat Product Errata RHBA-2024:1010 0 None None None 2024-02-27 20:48:14 UTC
Red Hat Product Errata RHBA-2024:1011 0 None None None 2024-02-27 21:40:24 UTC
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:50:04 UTC
Red Hat Product Errata RHSA-2023:7200 0 None None None 2024-02-27 22:47:13 UTC
Red Hat Product Errata RHSA-2023:7201 0 None None None 2024-02-27 22:29:10 UTC
Red Hat Product Errata RHSA-2024:0269 0 None None None 2024-02-28 00:20:19 UTC
Red Hat Product Errata RHSA-2024:0281 0 None None None 2024-03-06 14:40:14 UTC
Red Hat Product Errata RHSA-2024:0530 0 None None None 2024-01-25 18:10:46 UTC
Red Hat Product Errata RHSA-2024:0694 0 None None None 2024-02-07 18:45:56 UTC
Red Hat Product Errata RHSA-2024:0695 0 None None None 2024-02-07 22:50:35 UTC
Red Hat Product Errata RHSA-2024:0728 0 None None None 2024-02-08 17:27:50 UTC
Red Hat Product Errata RHSA-2024:0748 0 None None None 2024-02-08 18:20:25 UTC
Red Hat Product Errata RHSA-2024:0843 0 None None None 2024-02-15 12:55:40 UTC
Red Hat Product Errata RHSA-2024:0880 0 None None None 2024-02-20 11:03:50 UTC
Red Hat Product Errata RHSA-2024:0887 0 None None None 2024-02-20 12:30:15 UTC
Red Hat Product Errata RHSA-2024:1041 0 None None None 2024-02-29 09:04:04 UTC
Red Hat Product Errata RHSA-2024:1078 0 None None None 2024-03-05 00:34:26 UTC
Red Hat Product Errata RHSA-2024:1131 0 None None None 2024-03-05 18:11:24 UTC
Red Hat Product Errata RHSA-2024:1149 0 None None None 2024-03-05 18:13:09 UTC
Red Hat Product Errata RHSA-2024:1244 0 None None None 2024-03-11 16:04:26 UTC
Red Hat Product Errata RHSA-2024:1434 0 None None None 2024-03-20 07:40:31 UTC
Red Hat Product Errata RHSA-2024:1640 0 None None None 2024-04-02 19:30:18 UTC
Red Hat Product Errata RHSA-2024:1812 0 None None None 2024-04-15 05:44:53 UTC
Red Hat Product Errata RHSA-2024:1859 0 None None None 2024-04-16 17:26:20 UTC

Description Patrick Del Bello 2023-12-06 20:47:22 UTC
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

https://go.dev/cl/547335
https://go.dev/issue/64433
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://pkg.go.dev/vuln/GO-2023-2382

Comment 1 Patrick Del Bello 2023-12-06 20:51:59 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2253332]
Affects: fedora-all [bug 2253333]

Comment 9 Debarshi Ray 2024-01-15 22:46:54 UTC
We are missing the RHEL 9 tracking bug for toolbox, even though the bugs for RHEL 8 are there.

Comment 16 errata-xmlrpc 2024-01-25 18:10:38 UTC
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:0530 https://access.redhat.com/errata/RHSA-2024:0530

Comment 20 errata-xmlrpc 2024-02-07 18:45:49 UTC
This issue has been addressed in the following products:

  RHOL-5.7-RHEL-8

Via RHSA-2024:0694 https://access.redhat.com/errata/RHSA-2024:0694

Comment 21 errata-xmlrpc 2024-02-07 22:50:27 UTC
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2024:0695 https://access.redhat.com/errata/RHSA-2024:0695

Comment 22 errata-xmlrpc 2024-02-08 17:27:42 UTC
This issue has been addressed in the following products:

  RHOL-5.8-RHEL-9

Via RHSA-2024:0728 https://access.redhat.com/errata/RHSA-2024:0728

Comment 23 errata-xmlrpc 2024-02-08 18:20:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0748 https://access.redhat.com/errata/RHSA-2024:0748

Comment 24 errata-xmlrpc 2024-02-15 12:55:33 UTC
This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843

Comment 25 errata-xmlrpc 2024-02-20 11:03:42 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880

Comment 26 errata-xmlrpc 2024-02-20 12:30:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0887 https://access.redhat.com/errata/RHSA-2024:0887

Comment 27 errata-xmlrpc 2024-02-27 20:49:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198

Comment 28 errata-xmlrpc 2024-02-27 22:29:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201

Comment 29 errata-xmlrpc 2024-02-27 22:47:06 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7200 https://access.redhat.com/errata/RHSA-2023:7200

Comment 30 errata-xmlrpc 2024-02-28 00:20:13 UTC
This issue has been addressed in the following products:

  RODOO-1.1-RHEL-9

Via RHSA-2024:0269 https://access.redhat.com/errata/RHSA-2024:0269

Comment 32 errata-xmlrpc 2024-02-29 09:03:57 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2024:1041 https://access.redhat.com/errata/RHSA-2024:1041

Comment 33 errata-xmlrpc 2024-03-05 00:34:19 UTC
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2024:1078 https://access.redhat.com/errata/RHSA-2024:1078

Comment 34 errata-xmlrpc 2024-03-05 18:11:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1131 https://access.redhat.com/errata/RHSA-2024:1131

Comment 35 errata-xmlrpc 2024-03-05 18:13:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1149 https://access.redhat.com/errata/RHSA-2024:1149

Comment 36 errata-xmlrpc 2024-03-06 14:40:04 UTC
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-9

Via RHSA-2024:0281 https://access.redhat.com/errata/RHSA-2024:0281

Comment 37 errata-xmlrpc 2024-03-11 16:04:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1244 https://access.redhat.com/errata/RHSA-2024:1244

Comment 39 errata-xmlrpc 2024-03-20 07:40:24 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.1

Via RHSA-2024:1434 https://access.redhat.com/errata/RHSA-2024:1434

Comment 40 errata-xmlrpc 2024-04-02 19:30:09 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640

Comment 41 errata-xmlrpc 2024-04-15 05:44:43 UTC
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2024:1812 https://access.redhat.com/errata/RHSA-2024:1812

Comment 42 errata-xmlrpc 2024-04-16 17:26:12 UTC
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859


Note You need to log in before you can comment on or make changes to this bug.