Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-21471: [release-4.11] UPSTREAM: <carry>: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 #1761

Merged
merged 4 commits into from Oct 14, 2023
Merged

OCPBUGS-21471: [release-4.11] UPSTREAM: <carry>: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 #1761

merged 4 commits into from Oct 14, 2023

Conversation

ncdc
Copy link

@ncdc ncdc commented Oct 11, 2023

/kind bug

What this PR does / why we need it:

Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Address CVE-2023-44487 and CVE-2023-39325 for all components that serve HTTP/2.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Oct 11, 2023
@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 11, 2023
@ncdc ncdc requested review from soltysh and deads2k October 11, 2023 16:29
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot requested a review from mfojtik October 11, 2023 16:30
@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Oct 11, 2023
@ncdc
Copy link
Author

ncdc commented Oct 11, 2023

/retest

@ncdc
UPSTREAM: <carry>: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0
891bf6f 
Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@ncdc ncdc mentioned this pull request Oct 13, 2023
Closed
@enj @ncdc
UPSTREAM: <carry>: Prevent rapid reset http2 DOS on API server
059e9a4 
This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when the client is unauthenticated.

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(with keep-alive disabled).

Since this change has the potential to cause issues, the
UnauthenticatedHTTP2DOSMitigation feature gate can be disabled to
remove this protection (it is enabled by default).  For example,
when the API server is fronted by an L7 load balancer that is set up
to mitigate http2 attacks, unauthenticated clients could force
disable connection reuse between the load balancer and the API
server (many incoming connections could share the same backend
connection).  An API server that is on a private network may opt to
disable this protection to prevent performance regressions for
unauthenticated clients.

For all other clients, we rely on the golang.org/x/net fix in
golang/net@b225e7c
That change is not sufficient to adequately protect against a
motivated client - future changes to Kube and/or golang.org/x/net
will be explored to address this gap.

The Kube API server now uses a max stream of 100 instead of 250
(this matches the Go http2 client default).  This lowers the abuse
limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>
(cherry picked from commit d40f08f)
@enj @ncdc
UPSTREAM: <carry>: Skip TestUnauthenticatedHTTP2ClientConnectionClose…
4ac814f 
… http1 tests

These occasionally flake on CI:

https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/121200/pull-kubernetes-unit-go-compatibility/1712589824344461312

=== Failed
=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)
    authentication_test.go:653: expect TCP connection: 1, actual: 2
        --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true/http/1.1 (0.19s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)
    --- FAIL: TestUnauthenticatedHTTP2ClientConnectionClose/other_skip=true (0.23s)

=== FAIL: vendor/k8s.io/apiserver/pkg/endpoints/filters TestUnauthenticatedHTTP2ClientConnectionClose (2.30s)

Signed-off-by: Monis Khan <mok@microsoft.com>
(cherry picked from commit 2029344)
Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

deads2k
deads2k reviewed Oct 13, 2023
View reviewed changes
staging/src/k8s.io/apiserver/pkg/features/kube_features.go
@@ -196,6 +214,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
ServerSideApply: {Default: true, PreRelease: featuregate.GA},
StorageVersionHash: {Default: true, PreRelease: featuregate.Beta},
StorageVersionAPI: {Default: false, PreRelease: featuregate.Alpha},
UnauthenticatedHTTP2DOSMitigation: {Default: true, PreRelease: featuregate.Beta},
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes in this file look good.

@deads2k
Copy link

deads2k commented Oct 13, 2023

/lgtm
/approve

going to approve the unvalidated commits. We've gone back past kube

@deads2k deads2k added backports/validated-commits Indicates that all commits come to merged upstream PRs. and removed backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. labels Oct 13, 2023
@openshift-ci openshift-ci bot added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Oct 13, 2023
@deads2k deads2k added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Oct 13, 2023
@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 6981c04 and 2 for PR HEAD 4ac814f in total

@ncdc
UPSTREAM: <carry>: Prevent rapid reset http2 DOS on API server
61fc003 
Adjust test that was added to work with go 1.18

Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
@openshift-ci-robot openshift-ci-robot added backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. and removed backports/validated-commits Indicates that all commits come to merged upstream PRs. labels Oct 13, 2023
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 13, 2023
@deads2k
Copy link

deads2k commented Oct 13, 2023

/lgtm

@deads2k deads2k added backports/validated-commits Indicates that all commits come to merged upstream PRs. and removed backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. labels Oct 13, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 13, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, ncdc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 13, 2023
@ncdc ncdc changed the title [release-4.11] UPSTREAM: <carry>: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 OCPBUGS-21471: [release-4.11] UPSTREAM: <carry>: [CVE-2023-39325] .: bump golang.org/x/net to v0.17.0 Oct 13, 2023
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Oct 13, 2023
@openshift-ci-robot
Copy link

@ncdc: This pull request references Jira Issue OCPBUGS-21471, which is invalid:

  • expected Jira Issue OCPBUGS-21471 to depend on a bug targeting a version in 4.12.0, 4.12.z and in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but no dependents were found

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Retaining the jira/valid-bug label as it was manually added.

In response to this:

/kind bug

What this PR does / why we need it:

Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Address CVE-2023-44487 and CVE-2023-39325 for all components that serve HTTP/2.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot
Copy link

/retest-required

Remaining retests: 0 against base HEAD 6981c04 and 2 for PR HEAD 61fc003 in total

@ncdc
Copy link
Author

ncdc commented Oct 13, 2023

/test k8s-e2e-gcp

rpmbuild flake

@jupierce
Copy link

/retest

@openshift-ci openshift-ci bot merged commit ec2a592 into openshift:release-4.11 Oct 14, 2023
18 of 19 checks passed
@openshift-ci-robot
Copy link

@ncdc: Jira Issue OCPBUGS-21471: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-21471 has been moved to the MODIFIED state.

In response to this:

/kind bug

What this PR does / why we need it:

Bumping golang.org/x/net in light of CVE-2023-39325 and CVE-2023-44487.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Address CVE-2023-44487 and CVE-2023-39325 for all components that serve HTTP/2.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot
Copy link

Fix included in accepted release 4.11.0-0.nightly-2023-10-14-102406

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k deads2k left review comments

@soltysh soltysh Awaiting requested review from soltysh

@mfojtik mfojtik Awaiting requested review from mfojtik

Assignees

@kasturinarra kasturinarra

@deads2k deads2k

@zhouying7780 zhouying7780

@xingxingxia xingxingxia

@sunilcio sunilcio

@duanwei33 duanwei33

@wangke19 wangke19

@gangwgr gangwgr

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. backports/validated-commits Indicates that all commits come to merged upstream PRs. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. vendor-update Touching vendor dir or related files
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet