Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-21584: UPSTREAM: 121128: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 #1757

Merged
merged 3 commits into from
Oct 13, 2023
Merged

OCPBUGS-21584: UPSTREAM: 121128: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 #1757

merged 3 commits into from
Oct 13, 2023

Commits on Oct 12, 2023

  1. UPSTREAM: 121128: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 

    Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
    @ncdc
    ncdc committed Oct 12, 2023
    Configuration menu
    Copy the full SHA
    ac4be70 View commit details
    Browse the repository at this point in the history

Commits on Oct 13, 2023

  1. UPSTREAM: 121196: Prevent rapid reset http2 DOS on API server 

    This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
golang/net@b225e7c
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>
(cherry picked from commit 238d89c)
    @enj @ncdc
    enj authored and ncdc committed Oct 13, 2023
    Configuration menu
    Copy the full SHA
    d9d763d View commit details
    Browse the repository at this point in the history

  2. UPSTREAM: 121204: Skip TestUnauthenticatedHTTP2ClientConnectionClose … 

    …http1 tests

These occasionally flake on CI:

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312

=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
    authentication_test.go:653: expect TCP connection: 1, actual: 2
        --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
    --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)

Signed-off-by: Monis Khan <mok@microsoft.com>
(cherry picked from commit 9fa4bdf)
    @enj @ncdc
    enj authored and ncdc committed Oct 13, 2023
    Configuration menu
    Copy the full SHA
    9a9476a View commit details
    Browse the repository at this point in the history