Mitigate http/2 attacks by authenticated clients #121197

enj · 2023-10-12T21:29:32Z

golang/net@b225e7c does not sufficiently protect us from a malicious http/2 client. #121120 handles unauthenticated clients. This issue tracks mitigations for authenticated clients.

pprof svg from a single client with a single connection attempting to DOS a Kube API server that has max streams set to 100 (memory usage grew to 5 GB in a few mins before it stabilized - with multiple connections the API server would have easily OOM'd):

xref: golang/go#63417 (comment)

The text was updated successfully, but these errors were encountered:

liggitt · 2023-10-12T21:36:35Z

/sig api-machinery

k8s-ci-robot · 2023-10-12T21:36:37Z

@liggitt: The label(s) sig/networking cannot be applied, because the repository doesn't have them.

In response to this:

/sig api-machinery networking

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

liggitt · 2023-10-12T21:36:43Z

/sig network

enj · 2023-10-12T21:56:00Z

/milestone v1.29

hailkomputer · 2023-10-17T06:56:07Z

Hello @enj , Bug triage team lead here. I want to check the status.
The code freeze is starting 01:00 UTC Wednesday 1st November 2023 / 18:00 PDT Tuesday 31st October 2023 (about two weeks from now), and while there is still plenty of time, we want to ensure that each PR has a chance to be merged and issue’s are addressed on time.
As the issue is tagged for 1.29, is it planned for this release?

This change mitigates CVE-2023-44487 by disabling HTTP2 and forcing HTTP/1.1 until the Go standard library and golang.org/x/net are fully fixed. Right now, it is possible for authenticated and unauthenticated users to hold open HTTP2 connections and consume huge amounts of memory. Before this change: ``` curl -kv https://localhost:8443/metrics * Trying 127.0.0.1:8443... * Connected to localhost (127.0.0.1) port 8443 (#0) * ALPN: offers h2,http/1.1 [...] * ALPN: server accepted h2 [...] * using HTTP/2 * h2h3 [:method: GET] * h2h3 [:path: /metrics] * h2h3 [:scheme: https] * h2h3 [:authority: localhost:8443] * h2h3 [user-agent: curl/8.0.1] * h2h3 [accept: */*] * Using Stream ID: 1 (easy handle 0x5594d4614b10) [...] > GET /metrics HTTP/2 [...] ``` After this change: ``` curl -kv https://localhost:8443/metrics * Trying 127.0.0.1:8443... * Connected to localhost (127.0.0.1) port 8443 (#0) * ALPN: offers h2,http/1.1 [...] * ALPN: server accepted http/1.1 [...] * using HTTP/1.1 > GET /metrics HTTP/1.1 > Host: localhost:8443 > User-Agent: curl/8.0.1 > Accept: */* [...] < HTTP/1.1 200 OK [...] ``` See also: * kubernetes/kubernetes#121120 * kubernetes/kubernetes#121197 * golang/go#63417 (comment) Signed-off-by: Simon Pasquier <spasquie@redhat.com>

This change mitigates CVE-2023-44487 by disabling HTTP2 by default and forcing HTTP/1.1 until the Go standard library and golang.org/x/net are fully fixed. Right now, it is possible for authenticated and unauthenticated users to hold open HTTP2 connections and consume huge amounts of memory. It is possible to revert back the change by using the `--web.enable-http2` argument. Before this change: ``` curl -kv https://localhost:8443/metrics * Trying 127.0.0.1:8443... * Connected to localhost (127.0.0.1) port 8443 (#0) * ALPN: offers h2,http/1.1 [...] * ALPN: server accepted h2 [...] * using HTTP/2 * h2h3 [:method: GET] * h2h3 [:path: /metrics] * h2h3 [:scheme: https] * h2h3 [:authority: localhost:8443] * h2h3 [user-agent: curl/8.0.1] * h2h3 [accept: */*] * Using Stream ID: 1 (easy handle 0x5594d4614b10) [...] > GET /metrics HTTP/2 [...] ``` After this change: ``` curl -kv https://localhost:8443/metrics * Trying 127.0.0.1:8443... * Connected to localhost (127.0.0.1) port 8443 (#0) * ALPN: offers h2,http/1.1 [...] * ALPN: server accepted http/1.1 [...] * using HTTP/1.1 > GET /metrics HTTP/1.1 > Host: localhost:8443 > User-Agent: curl/8.0.1 > Accept: */* [...] < HTTP/1.1 200 OK [...] ``` See also: * kubernetes/kubernetes#121120 * kubernetes/kubernetes#121197 * golang/go#63417 (comment) Signed-off-by: Simon Pasquier <spasquie@redhat.com>

Commit b3b011b was not enough to prevent HTTP2 connections as demonstrated in kubernetes/kubernetes#121197. To prevent any risk with HTTP2, this change disables HTTP2 at the server level. There's no expected performance penalty because the web server is only used for scraping metrics. Signed-off-by: Simon Pasquier <spasquie@redhat.com>

This change mitigates CVE-2023-44487 by disabling HTTP2 by default and forcing HTTP/1.1 until the Go standard library and golang.org/x/net are fully fixed. Right now, it is possible for authenticated and unauthenticated users to hold open HTTP2 connections and consume huge amounts of memory. It is possible to revert back the change by using the `--web.enable-http2` argument. Before this change: ``` curl -kv https://localhost:8443/metrics * Trying 127.0.0.1:8443... * Connected to localhost (127.0.0.1) port 8443 (#0) * ALPN: offers h2,http/1.1 [...] * ALPN: server accepted h2 [...] * using HTTP/2 * h2h3 [:method: GET] * h2h3 [:path: /metrics] * h2h3 [:scheme: https] * h2h3 [:authority: localhost:8443] * h2h3 [user-agent: curl/8.0.1] * h2h3 [accept: */*] * Using Stream ID: 1 (easy handle 0x5594d4614b10) [...] > GET /metrics HTTP/2 [...] ``` After this change: ``` curl -kv https://localhost:8443/metrics * Trying 127.0.0.1:8443... * Connected to localhost (127.0.0.1) port 8443 (#0) * ALPN: offers h2,http/1.1 [...] * ALPN: server accepted http/1.1 [...] * using HTTP/1.1 > GET /metrics HTTP/1.1 > Host: localhost:8443 > User-Agent: curl/8.0.1 > Accept: */* [...] < HTTP/1.1 200 OK [...] ``` See also: * kubernetes/kubernetes#121120 * kubernetes/kubernetes#121197 * golang/go#63417 (comment) Signed-off-by: Simon Pasquier <spasquie@redhat.com>

It appears that mitigating the recent http2 vulnerabilities (see CVE-2023-44487 and CVE-2023-39325) requires [more than just a library update to golang.org/x/net][1]. Until better mitigations have been developed, disable http2 in both the metrics and webhooks servers. [1]: kubernetes/kubernetes#121197 Signed-off-by: Andy Sadler <ansadler@redhat.com>

This change mitigates CVE-2023-44487 by disabling HTTP2 by default and forcing HTTP/1.1 until the Go standard library and golang.org/x/net are fully fixed. Right now, it is possible for authenticated and unauthenticated users to hold open HTTP2 connections and consume huge amounts of memory. It is possible to revert back the change by using the `--web.enable-http2` argument. Before this change: ``` curl -kv https://localhost:8443/metrics * Trying 127.0.0.1:8443... * Connected to localhost (127.0.0.1) port 8443 (#0) * ALPN: offers h2,http/1.1 [...] * ALPN: server accepted h2 [...] * using HTTP/2 * h2h3 [:method: GET] * h2h3 [:path: /metrics] * h2h3 [:scheme: https] * h2h3 [:authority: localhost:8443] * h2h3 [user-agent: curl/8.0.1] * h2h3 [accept: */*] * Using Stream ID: 1 (easy handle 0x5594d4614b10) [...] > GET /metrics HTTP/2 [...] ``` After this change: ``` curl -kv https://localhost:8443/metrics * Trying 127.0.0.1:8443... * Connected to localhost (127.0.0.1) port 8443 (#0) * ALPN: offers h2,http/1.1 [...] * ALPN: server accepted http/1.1 [...] * using HTTP/1.1 > GET /metrics HTTP/1.1 > Host: localhost:8443 > User-Agent: curl/8.0.1 > Accept: */* [...] < HTTP/1.1 200 OK [...] ``` See also: * kubernetes/kubernetes#121120 * kubernetes/kubernetes#121197 * golang/go#63417 (comment) Signed-off-by: Simon Pasquier <spasquie@redhat.com>

zelenushechka · 2024-02-13T11:09:29Z

Hello!
Release Signal shadow here.
This issue has not been updated for a long time, so I'd like to check what's the status. The code freeze is starting 02:00 UTC Wednesday 6th March 2024 / 18:00 PDT Tuesday 5th March 2024 (less than a month from now), and while there is still plenty of time, we want to ensure that each PR has a chance to be merged on time.

As this issue is tagged for 1.30, is it still planned for this release?

zelenushechka · 2024-02-29T08:45:02Z

Hello!
Release Signal shadow here.
I'd like to check what's the status. The code freeze is starting 02:00 UTC Wednesday 6th March 2024 / 18:00 PDT Tuesday 5th March 2024 in a week, and we want to ensure that each PR has a chance to be merged on time.

Is it still planned for this release?

Vyom-Yadav · 2024-03-11T07:47:38Z

We are past the code freeze stage. Moving this to the next release.

/milestone v1.31

Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with: - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3) - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8) While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: kubernetes/kubernetes#121197

Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with: - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3) - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8) While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: kubernetes/kubernetes#121197 Signed-off-by: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com>

… Risks (#484) Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with: - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3) - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8) While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: kubernetes/kubernetes#121197 Signed-off-by: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com>

… Risks (#484) Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with: - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3) - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8) While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: kubernetes/kubernetes#121197

k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 12, 2023

k8s-ci-robot added the sig/network Categorizes an issue or PR as relevant to SIG Network. label Oct 12, 2023

liggitt removed the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Oct 12, 2023

k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 12, 2023

k8s-ci-robot added this to the v1.29 milestone Oct 12, 2023

k8s-infra-ci-robot added this to [sig-release] Bug Triage Oct 12, 2023

hailkomputer moved this to Tracked in [sig-release] Bug Triage Oct 13, 2023

khrm mentioned this issue Oct 19, 2023

Disable HTTP/2 for webhook tektoncd/pipeline#7235

Closed

simonpasquier mentioned this issue Oct 19, 2023

fix: disable HTTP2 connections by default prometheus-operator/prometheus-operator#6028

Merged

5 tasks

simonpasquier mentioned this issue Oct 19, 2023

OCPBUGS-21631: fix: force HTTP/1.1 connections openshift/cluster-monitoring-operator#2128

Merged

2 tasks

sadlerap mentioned this issue Oct 19, 2023

disable http2 for metrics and webhooks by default servicebinding/runtime#356

Merged

johannes94 mentioned this issue Oct 20, 2023

fix: force HTTP1.1 for operator webhooks to remidiate CVE-2023-44487 stackrox/stackrox#8279

Merged

1 task

k8s-ci-robot modified the milestones: v1.30, v1.31 Mar 11, 2024

k8s-ci-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Apr 23, 2024

k8s-ci-robot removed this from the v1.31 milestone Apr 23, 2024

enj mentioned this issue Apr 26, 2024

proposal: x/net/http2: provide hook for custom frame policers golang/go#63518

Open

ChristianZaccaria mentioned this issue May 10, 2024

Vulnerability - CVE-2023-44487 kubeflow/trainer#2110

Closed

camilamacedo86 mentioned this issue Dec 13, 2024

🐛 Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks operator-framework/catalogd#484

Merged

This was referenced Dec 17, 2024

✨ Add RBAC files for metrics authentication and authorization metal3-io/baremetal-operator#2116

Merged

Replace kube-rbac-proxy kubernetes-sigs/lws#284

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mitigate http/2 attacks by authenticated clients #121197

Mitigate http/2 attacks by authenticated clients #121197

enj commented Oct 12, 2023

liggitt commented Oct 12, 2023 •

edited

Loading

k8s-ci-robot commented Oct 12, 2023

liggitt commented Oct 12, 2023

enj commented Oct 12, 2023

hailkomputer commented Oct 17, 2023

zelenushechka commented Feb 13, 2024

zelenushechka commented Feb 29, 2024

Vyom-Yadav commented Mar 11, 2024

Mitigate http/2 attacks by authenticated clients #121197

Mitigate http/2 attacks by authenticated clients #121197

Comments

enj commented Oct 12, 2023

liggitt commented Oct 12, 2023 • edited Loading

k8s-ci-robot commented Oct 12, 2023

liggitt commented Oct 12, 2023

enj commented Oct 12, 2023

hailkomputer commented Oct 17, 2023

zelenushechka commented Feb 13, 2024

zelenushechka commented Feb 29, 2024

Vyom-Yadav commented Mar 11, 2024

liggitt commented Oct 12, 2023 •

edited

Loading