Replies: 2 comments 6 replies
-
I could be misunderstanding the vulnerability, but it sounds like the vulnerability is in the serving/receiving of HTTP requests, not making requests. CoreDNS accepts incoming HTTP requests in at least a few place (e.g. if serving DOH, serving metrics, responding to health/readiness checks). Without deeper analysis, I'd say any of those could potentially be vulnerable. |
Beta Was this translation helpful? Give feedback.
-
@chrisohaver that's what my initial suspicion was, but even in the places where CoreDNS was accepting incoming HTTP requests (while serving DOH, metrics and health), I could't see the usage of the http2 request with cache keys that the particular CVE talked about. I will appreciate a deeper review from the coredns team. Thank you. |
Beta Was this translation helpful? Give feedback.
-
The GHSA-xrjj-mj9h-534m mentioned in the golang list -
https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ
Indicates that servers accepting http2 requests can be attacked.
The CoreDNS used in Kubernetes is CoreDNS 1.8.6
https://github.com/kubernetes/kubernetes/blob/v1.24.11/cluster/addons/dns/coredns/coredns.yaml.sed#L142
Reading the source code of CoreDNS, I have determined that this is not applicable to CoreDNS - there is not http2 POST anywhere, especially the server side of the CoreDNS.
The scanners might flag the cve due to old go language run time used to compile or due to dependencies. But that only needs supression rather than anything else.
Can someone confirm this analysis for me?
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions