Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: imperva HTTP/2 attack vectors report #16630

Closed
dlsniper opened this issue Aug 7, 2016 · 5 comments

Comments

Projects
None yet
4 participants
@dlsniper
Copy link
Contributor

commented Aug 7, 2016

Hello,

I've just seen the issues highlighted by this report: https://www.nginx.com/blog/the-imperva-http2-vulnerability-report-and-nginx/ (download shortcut: http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf) with regards to HTTP/2 implementation in web servers and I'd like to ask if this is something that the Go team is aware of and if Go itself is vulnerable to the issues described there.
Sorry if this is the wrong place to ask, I wasn't sure if I should ask here or on golang-dev.

Thank you.

@dlsniper dlsniper changed the title Imperva HTTP/2 attack vectors Imperva HTTP/2 attack vectors report Aug 7, 2016

@josharian josharian changed the title Imperva HTTP/2 attack vectors report net/http: imperva HTTP/2 attack vectors report Aug 7, 2016

@bradfitz

This comment has been minimized.

Copy link
Member

commented Aug 7, 2016

Can I reply in text or do I need to generate a PDF?

@dlsniper

This comment has been minimized.

Copy link
Contributor Author

commented Aug 7, 2016

I couldn't see a text version of it, aside from this rather useless link: http://investors.imperva.com/phoenix.zhtml?c=247116&p=irol-newsArticle&ID=2192322 , sorry.
I understand that the issues are in the specific implementations not the protocol itself.

Thank you.

@as

This comment has been minimized.

Copy link
Contributor

commented Aug 7, 2016

The PDF is wordy, so here's a summary of the article's contents. None of the specific issues mentioned are about Go, and some do not even seem possible (1 thread per stream, buffer overflow, etc).

(page 7) HTTP/2 Stream Multiplexing

  • CVE-2016-0150 Microsoft's HTTP/2 kernel driver crashes after seeing two requests for the same stream

(page 9) HTTP/2 Flow Control

  • CVE-2016-1546 "Slow Read Attack." Four non-Go implementations (IIS, Apache, Nginx, Jetty) affected. Paper mentions one-thread-per-stream.

(page 12) Dependency and Priority

  • CVE-2015-8659 Implementation-specific (Nginx) use-after-free bug

(page 16) HPACK Bomb

@bradfitz

This comment has been minimized.

Copy link
Member

commented Aug 7, 2016

The only one I'd want to double-check is the HPACK bomb (haven't read the details yet). But golang/net@6050c11 and golang/net@21c3935 and golang/net@59e870b and golang/net@d8f3c68 and golang/net@29704b8 seem to cover it.

@bradfitz

This comment has been minimized.

Copy link
Member

commented Aug 8, 2016

Yeah, I think we're fine here. Please file a bug if you find a problem in Go's implementation.

@bradfitz bradfitz closed this Aug 8, 2016

@golang golang locked and limited conversation to collaborators Aug 8, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.