Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http, x/net/http2: Denial of Service vulnerabilities in the HTTP/2 implementation #33606

Closed
FiloSottile opened this issue Aug 12, 2019 · 4 comments

Comments

@FiloSottile
Copy link
Member

commented Aug 12, 2019

net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. Servers will now close connections if the send queue accumulates too many control messages.

Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.

These issues are CVE-2019-9512 and CVE-2019-9514.

@golang golang locked and limited conversation to collaborators Aug 12, 2019

@dmitshur dmitshur changed the title Placeholder issue net/http: Denial of Service vulnerabilities in the HTTP/2 implementation Aug 13, 2019

@golang golang unlocked this conversation Aug 13, 2019

@dmitshur

This comment has been minimized.

Copy link
Member

commented Aug 13, 2019

@gopherbot Please backport this to 1.12 and 1.11. This was a security problem.

@gopherbot

This comment has been minimized.

Copy link

commented Aug 13, 2019

Backport issue(s) opened: #33630 (for 1.11), #33631 (for 1.12).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

gopherbot pushed a commit to golang/net that referenced this issue Aug 13, 2019
[release-branch.go1.12] http2: limit number of control frames in serv…
…er send queue

An attacker could cause servers to queue an unlimited number of PING
ACKs or RST_STREAM frames by soliciting them and not reading them, until
the program runs out of memory.

Limit control frames in the queue to a few thousands (matching the limit
imposed by other vendors) by counting as they enter and exit the scheduler,
so the protection will work with any WriteScheduler.

Once the limit is exceeded, close the connection, as we have no way to
communicate with the peer.

This addresses CVE-2019-9512 and CVE-2019-9514.

Updates golang/go#33606

Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
(cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526069
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
gopherbot pushed a commit to golang/net that referenced this issue Aug 13, 2019
[release-branch.go1.11] http2: limit number of control frames in serv…
…er send queue

An attacker could cause servers to queue an unlimited number of PING
ACKs or RST_STREAM frames by soliciting them and not reading them, until
the program runs out of memory.

Limit control frames in the queue to a few thousands (matching the limit
imposed by other vendors) by counting as they enter and exit the scheduler,
so the protection will work with any WriteScheduler.

Once the limit is exceeded, close the connection, as we have no way to
communicate with the peer.

This addresses CVE-2019-9512 and CVE-2019-9514.

Updates golang/go#33606

Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
(cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526070
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
gopherbot pushed a commit that referenced this issue Aug 13, 2019
[release-branch.go1.11-security] net/http: update bundled http2 to im…
…port security fix

Apply the following unpublished golang.org/x/net commit.

    commit b1cc14aba47abf96f96818003fa4caad3a4b4e86
    Author: Filippo Valsorda <filippo@golang.org>
    Date:   Sun Aug 11 02:12:18 2019 -0400

    [release-branch.go1.11] http2: limit number of control frames in server send queue

    An attacker could cause servers to queue an unlimited number of PING
    ACKs or RST_STREAM frames by soliciting them and not reading them, until
    the program runs out of memory.

    Limit control frames in the queue to a few thousands (matching the limit
    imposed by other vendors) by counting as they enter and exit the scheduler,
    so the protection will work with any WriteScheduler.

    Once the limit is exceeded, close the connection, as we have no way to
    communicate with the peer.

    Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
    Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
    (cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80)
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526070
    Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

Fixes CVE-2019-9512 and CVE-2019-9514
Updates #33606

Change-Id: Iecedf1cc63ec7a1cd75661ec591d91ebc911cc64
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526072
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
gopherbot pushed a commit that referenced this issue Aug 13, 2019
[release-branch.go1.12-security] net/http: update bundled http2 to im…
…port security fix

Apply the following unpublished golang.org/x/net commit.

    commit cdfb69ac37fc6fa907650654115ebebb3aae2087
    Author: Filippo Valsorda <filippo@golang.org>
    Date:   Sun Aug 11 02:12:18 2019 -0400

    [release-branch.go1.12] http2: limit number of control frames in server send queue

    An attacker could cause servers to queue an unlimited number of PING
    ACKs or RST_STREAM frames by soliciting them and not reading them, until
    the program runs out of memory.

    Limit control frames in the queue to a few thousands (matching the limit
    imposed by other vendors) by counting as they enter and exit the scheduler,
    so the protection will work with any WriteScheduler.

    Once the limit is exceeded, close the connection, as we have no way to
    communicate with the peer.

    Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
    Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>
    (cherry picked from commit 589ad6cc5321fb68a90370348a241a5da0a2cc80)
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526069
    Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

Fixes CVE-2019-9512 and CVE-2019-9514
Updates #33606

Change-Id: I282b3e0fa22422d9ea0d07f4a3935685ce4a7433
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/526071
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>

@dmitshur dmitshur added the Security label Aug 13, 2019

@gopherbot

This comment has been minimized.

Copy link

commented Aug 13, 2019

Change https://golang.org/cl/190137 mentions this issue: net/http: update bundled golang.org/x/net/http2 to import security fix

@dmitshur dmitshur changed the title net/http: Denial of Service vulnerabilities in the HTTP/2 implementation net/http, x/net/http2: Denial of Service vulnerabilities in the HTTP/2 implementation Aug 13, 2019

mvladev added a commit to mvladev/gardener that referenced this issue Aug 14, 2019
mvladev added a commit to mvladev/gardener that referenced this issue Aug 14, 2019
mvladev added a commit to mvladev/gardener that referenced this issue Aug 14, 2019
rfranzke added a commit to gardener/gardener that referenced this issue Aug 14, 2019
Upgrade golang to 1.12.8 due to multiple CVEs
https://groups.google.com/forum/#!topic/golang-nuts/fCQWxqxP8aA
golang/go#33606

```noteworthy developer
The golang version has been updated to `1.12.8` (fixing `CVE-2019-9512` and `CVE-2019-9514`).
```
artyom added a commit to artyom/tlstun that referenced this issue Aug 14, 2019
@gopherbot

This comment has been minimized.

Copy link

commented Aug 23, 2019

Change https://golang.org/cl/191618 mentions this issue: [release-branch.go1.13] net/http: update bundled golang.org/x/net/http2 to import security fix

gopherbot pushed a commit that referenced this issue Aug 23, 2019
net/http: update bundled golang.org/x/net/http2 to import security fix
Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import
the following security fix.

    commit 74dc4d7220e7acc4e100824340f3e66577424772
    Author: Filippo Valsorda <filippo@golang.org>
    Date:   Sun Aug 11 02:12:18 2019 -0400

    http2: limit number of control frames in server send queue

    An attacker could cause servers to queue an unlimited number of PING
    ACKs or RST_STREAM frames by soliciting them and not reading them, until
    the program runs out of memory.

    Limit control frames in the queue to a few thousands (matching the limit
    imposed by other vendors) by counting as they enter and exit the scheduler,
    so the protection will work with any WriteScheduler.

    Once the limit is exceeded, close the connection, as we have no way to
    communicate with the peer.

    Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
    Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>

This change was generated with cmd/go and cmd/bundle:

$ go get -u golang.org/x/net
$ go mod tidy
$ go mod vendor
$ go generate net/http

Fixes CVE-2019-9512 and CVE-2019-9514
Fixes #33606

Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/190137
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot pushed a commit that referenced this issue Aug 23, 2019
[release-branch.go1.13] net/http: update bundled golang.org/x/net/htt…
…p2 to import security fix

Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import
the following security fix.

    commit 74dc4d7220e7acc4e100824340f3e66577424772
    Author: Filippo Valsorda <filippo@golang.org>
    Date:   Sun Aug 11 02:12:18 2019 -0400

    http2: limit number of control frames in server send queue

    An attacker could cause servers to queue an unlimited number of PING
    ACKs or RST_STREAM frames by soliciting them and not reading them, until
    the program runs out of memory.

    Limit control frames in the queue to a few thousands (matching the limit
    imposed by other vendors) by counting as they enter and exit the scheduler,
    so the protection will work with any WriteScheduler.

    Once the limit is exceeded, close the connection, as we have no way to
    communicate with the peer.

    Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
    Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>

This change was generated with cmd/go and cmd/bundle:

$ go get -u golang.org/x/net
$ go mod tidy
$ go mod vendor
$ go generate net/http

Fixes CVE-2019-9512 and CVE-2019-9514
Fixes #33606

Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/190137
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
(cherry picked from commit 145e193)
Reviewed-on: https://go-review.googlesource.com/c/go/+/191618
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
t4n6a1ka added a commit to t4n6a1ka/go that referenced this issue Sep 5, 2019
net/http: update bundled golang.org/x/net/http2 to import security fix
Update golang.org/x/net to v0.0.0-20190813141303-74dc4d7220e7 to import
the following security fix.

    commit 74dc4d7220e7acc4e100824340f3e66577424772
    Author: Filippo Valsorda <filippo@golang.org>
    Date:   Sun Aug 11 02:12:18 2019 -0400

    http2: limit number of control frames in server send queue

    An attacker could cause servers to queue an unlimited number of PING
    ACKs or RST_STREAM frames by soliciting them and not reading them, until
    the program runs out of memory.

    Limit control frames in the queue to a few thousands (matching the limit
    imposed by other vendors) by counting as they enter and exit the scheduler,
    so the protection will work with any WriteScheduler.

    Once the limit is exceeded, close the connection, as we have no way to
    communicate with the peer.

    Change-Id: I842968fc6ed3eac654b497ade8cea86f7267886b
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/525552
    Reviewed-by: Brad Fitzpatrick <bradfitz@google.com>

This change was generated with cmd/go and cmd/bundle:

$ go get -u golang.org/x/net
$ go mod tidy
$ go mod vendor
$ go generate net/http

Fixes CVE-2019-9512 and CVE-2019-9514
Fixes golang#33606

Change-Id: I464baf96175006aa101d65d3b0f6494f28a626ab
Reviewed-on: https://go-review.googlesource.com/c/go/+/190137
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.