Skip to content

/go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: imperva HTTP/2 attack vectors report #16630

Closed
dlsniper opened this issue Aug 7, 2016 · 5 comments

Comments

Assignees

@bradfitz bradfitz

Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
4 participants
@dlsniper @bradfitz @as @gopherbot
@dlsniper
Copy link
Contributor

commented Aug 7, 2016
edited

Hello,

I've just seen the issues highlighted by this report: https://www.nginx.com/blog/the-imperva-http2-vulnerability-report-and-nginx/ (download shortcut: http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf) with regards to HTTP/2 implementation in web servers and I'd like to ask if this is something that the Go team is aware of and if Go itself is vulnerable to the issues described there.
Sorry if this is the wrong place to ask, I wasn't sure if I should ask here or on golang-dev.

Thank you.

@dlsniper dlsniper changed the title Imperva HTTP/2 attack vectors Imperva HTTP/2 attack vectors report Aug 7, 2016

@josharian josharian changed the title Imperva HTTP/2 attack vectors report net/http: imperva HTTP/2 attack vectors report Aug 7, 2016

@josharian josharian assigned bradfitz Aug 7, 2016

@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Member

commented Aug 7, 2016

Can I reply in text or do I need to generate a PDF?
@dlsniper

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

commented Aug 7, 2016

I couldn't see a text version of it, aside from this rather useless link: http://investors.imperva.com/phoenix.zhtml?c=247116&p=irol-newsArticle&ID=2192322 , sorry.
I understand that the issues are in the specific implementations not the protocol itself.

Thank you.
@as

This comment has been minimized.

Sign in to view
Copy link
Contributor

commented Aug 7, 2016

The PDF is wordy, so here's a summary of the article's contents. None of the specific issues mentioned are about Go, and some do not even seem possible (1 thread per stream, buffer overflow, etc).

(page 7) HTTP/2 Stream Multiplexing

  • CVE-2016-0150 Microsoft's HTTP/2 kernel driver crashes after seeing two requests for the same stream

(page 9) HTTP/2 Flow Control

  • CVE-2016-1546 "Slow Read Attack." Four non-Go implementations (IIS, Apache, Nginx, Jetty) affected. Paper mentions one-thread-per-stream.

(page 12) Dependency and Priority

  • CVE-2015-8659 Implementation-specific (Nginx) use-after-free bug

(page 16) HPACK Bomb
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Member

commented Aug 7, 2016

The only one I'd want to double-check is the HPACK bomb (haven't read the details yet). But golang/net@6050c11 and golang/net@21c3935 and golang/net@59e870b and golang/net@d8f3c68 and golang/net@29704b8 seem to cover it.
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Member

commented Aug 8, 2016

Yeah, I think we're fine here. Please file a bug if you find a problem in Go's implementation.

@bradfitz bradfitz closed this Aug 8, 2016

@bystones bystones referenced this issue Aug 21, 2016

Closed

net/http: verify HTTP2 implementation against recent CVEs #16825

@golang golang locked and limited conversation to collaborators Aug 8, 2017

@gopherbot gopherbot added the FrozenDueToAge label Aug 8, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.