Non-applicability for CVE-2022-41717

[orsenthil]

The GHSA-xrjj-mj9h-534m mentioned in the golang list -
https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ

Indicates that servers accepting http2 requests can be attacked.

An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.
HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.

The CoreDNS used in Kubernetes is CoreDNS 1.8.6
https://github.com/kubernetes/kubernetes/blob/v1.24.11/cluster/addons/dns/coredns/coredns.yaml.sed#L142

Reading the source code of CoreDNS, I have determined that this is not applicable to CoreDNS - there is not http2 POST anywhere, especially the server side of the CoreDNS.

The scanners might flag the cve due to old go language run time used to compile or due to dependencies. But that only needs supression rather than anything else.

Can someone confirm this analysis for me?

Thank you!

[chrisohaver]

I could be misunderstanding the vulnerability, but it sounds like the vulnerability is in the serving/receiving of HTTP requests, not making requests. CoreDNS accepts incoming HTTP requests in at least a few place (e.g. if serving DOH, serving metrics, responding to health/readiness checks). Without deeper analysis, I'd say any of those could potentially be vulnerable.

[orsenthil]

@chrisohaver that's what my initial suspicion was, but even in the places where CoreDNS was accepting incoming HTTP requests (while serving DOH, metrics and health), I could't see the usage of the http2 request with cache keys that the particular CVE talked about.

I will appreciate a deeper review from the coredns team.

Thank you.

[orsenthil]

True, an analysis will help, as we can update the defaults of CoreDNS used in Kubernetes is CoreDNS 1.8.6 https://github.com/kubernetes/kubernetes/blob/v1.24.11/cluster/addons/dns/coredns/coredns.yaml.sed#L142

[chrisohaver]

we can update the defaults of CoreDNS used in Kubernetes

A PR is already open to update to 1.10.1: kubernetes/kubernetes#115603

[orsenthil]

That's still against the master, but the patch trains of k8s (supported versions) and choose to go with pinned version, unless there is a good reason to update. Trying to determine if this was, and I am not sure of k8s policy on updating non master versions too.

[chrisohaver]

Not sure. Until someone has time and volunteers to do a detailed code dive and analysis, my assessment is that CoreDNS versions prior to 1.10.1 have this vulnerability.

[orsenthil]

Just a note; the CVE isn't flagged by scanners when used with latest golang runtime, and with coredns 1.9.3 as well.