fix: disable HTTP2 connections by default #6028
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
simonpasquier
force-pushed
the
disable-http2
branch
from
b3f1f22
to
7da8258
Compare
This change mitigates CVE-2023-44487 by disabling HTTP2 by default and forcing HTTP/1.1 until the Go standard library and golang.org/x/net are fully fixed. Right now, it is possible for authenticated and unauthenticated users to hold open HTTP2 connections and consume huge amounts of memory. It is possible to revert back the change by using the `--web.enable-http2` argument. Before this change: ``` curl -kv https://localhost:8443/metrics * Trying 127.0.0.1:8443... * Connected to localhost (127.0.0.1) port 8443 (#0) * ALPN: offers h2,http/1.1 [...] * ALPN: server accepted h2 [...] * using HTTP/2 * h2h3 [:method: GET] * h2h3 [:path: /metrics] * h2h3 [:scheme: https] * h2h3 [:authority: localhost:8443] * h2h3 [user-agent: curl/8.0.1] * h2h3 [accept: */*] * Using Stream ID: 1 (easy handle 0x5594d4614b10) [...] > GET /metrics HTTP/2 [...] ``` After this change: ``` curl -kv https://localhost:8443/metrics * Trying 127.0.0.1:8443... * Connected to localhost (127.0.0.1) port 8443 (#0) * ALPN: offers h2,http/1.1 [...] * ALPN: server accepted http/1.1 [...] * using HTTP/1.1 > GET /metrics HTTP/1.1 > Host: localhost:8443 > User-Agent: curl/8.0.1 > Accept: */* [...] < HTTP/1.1 200 OK [...] ``` See also: * kubernetes/kubernetes#121120 * kubernetes/kubernetes#121197 * golang/go#63417 (comment) Signed-off-by: Simon Pasquier <spasquie@redhat.com>
simonpasquier
force-pushed
the
disable-http2
branch
from
7da8258
to
a62e814
Compare
ArthurSens
approved these changes
Oct 20, 2023
nicolastakashi
approved these changes
Oct 23, 2023
slashpai
added a commit
to slashpai/prometheus-operator
that referenced
this pull request
Nov 3, 2023
Backporting prometheus-operator#6028 Signed-off-by: Jayapriya Pai <janantha@redhat.com>
slashpai
added a commit
to slashpai/prometheus-operator
that referenced
this pull request
Nov 3, 2023
Backporting prometheus-operator#6028 Signed-off-by: Jayapriya Pai <janantha@redhat.com>
slashpai
added a commit
to slashpai/prometheus-operator
that referenced
this pull request
Nov 3, 2023
Backporting prometheus-operator#6028 Signed-off-by: Jayapriya Pai <janantha@redhat.com>
slashpai
added a commit
to slashpai/prometheus-operator
that referenced
this pull request
Nov 6, 2023
After disabling HTTP2 connections by default in prometheus-operator#6028 started seeing verbose logging in admission webhook pods like: `ts=2023-11-06T01:50:34.601774794Z caller=stdlib.go:105 caller=server.go:3215 msg="http: superfluous response.WriteHeader call from main.newSrv.func1 (main.go:173)" ` Go doc says If WriteHeader is not called explicitly, the first call to Write will trigger an implicit WriteHeader(http.StatusOK). This fix is to change the order of the method invocation so log doesn't complain about this Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
5 tasks
slashpai
added a commit
to slashpai/prometheus-operator
that referenced
this pull request
Nov 6, 2023
After disabling HTTP2 connections by default in prometheus-operator#6028 started seeing verbose logging in admission webhook pods like: `ts=2023-11-06T01:50:34.601774794Z caller=stdlib.go:105 caller=server.go:3215 msg="http: superfluous response.WriteHeader call from main.newSrv.func1 (main.go:173)" ` Go doc says If WriteHeader is not called explicitly, the first call to Write will trigger an implicit WriteHeader(http.StatusOK). This fix is to change the order of the method invocation so log doesn't complain about this Signed-off-by: Jayapriya Pai <slashpai9@gmail.com> (cherry picked from commit 374f4b3)
Merged
5 tasks
slashpai
added a commit
to slashpai/prometheus-operator
that referenced
this pull request
Nov 6, 2023
After disabling HTTP2 connections by default in prometheus-operator#6028 started seeing verbose logging in admission webhook pods like: `ts=2023-11-06T01:50:34.601774794Z caller=stdlib.go:105 caller=server.go:3215 msg="http: superfluous response.WriteHeader call from main.newSrv.func1 (main.go:173)" ` Go doc says If WriteHeader is not called explicitly, the first call to Write will trigger an implicit WriteHeader(http.StatusOK). This fix is to change the order of the method invocation so log doesn't complain about this Signed-off-by: Jayapriya Pai <slashpai9@gmail.com> (cherry picked from commit 374f4b3)
slashpai
added a commit
to slashpai/prometheus-operator
that referenced
this pull request
Nov 6, 2023
After disabling HTTP2 connections by default in prometheus-operator#6028 started seeing verbose logging in admission webhook pods like: `ts=2023-11-06T01:50:34.601774794Z caller=stdlib.go:105 caller=server.go:3215 msg="http: superfluous response.WriteHeader call from main.newSrv.func1 (main.go:173)" ` Go doc says If WriteHeader is not called explicitly, the first call to Write will trigger an implicit WriteHeader(http.StatusOK). This fix is to change the order of the method invocation so log doesn't complain about this Signed-off-by: Jayapriya Pai <slashpai9@gmail.com> (cherry picked from commit 374f4b3)
slashpai
added a commit
to slashpai/prometheus-operator
that referenced
this pull request
Nov 6, 2023
After disabling HTTP2 connections by default in prometheus-operator#6028 started seeing verbose logging in admission webhook pods like: `ts=2023-11-06T01:50:34.601774794Z caller=stdlib.go:105 caller=server.go:3215 msg="http: superfluous response.WriteHeader call from main.newSrv.func1 (main.go:173)" ` Go doc says If WriteHeader is not called explicitly, the first call to Write will trigger an implicit WriteHeader(http.StatusOK). This fix is to change the order of the method invocation so log doesn't complain about this Signed-off-by: Jayapriya Pai <slashpai9@gmail.com> (cherry picked from commit 374f4b3)
slashpai
added a commit
to slashpai/prometheus-operator
that referenced
this pull request
Nov 6, 2023
After disabling HTTP2 connections by default in prometheus-operator#6028 started seeing verbose logging in admission webhook pods like: `ts=2023-11-06T01:50:34.601774794Z caller=stdlib.go:105 caller=server.go:3215 msg="http: superfluous response.WriteHeader call from main.newSrv.func1 (main.go:173)" ` Go doc says If WriteHeader is not called explicitly, the first call to Write will trigger an implicit WriteHeader(http.StatusOK). This fix is to change the order of the method invocation so log doesn't complain about this Signed-off-by: Jayapriya Pai <slashpai9@gmail.com> (cherry picked from commit 374f4b3)
adinhodovic
pushed a commit
to adinhodovic/prometheus-operator
that referenced
this pull request
Nov 13, 2023
After disabling HTTP2 connections by default in prometheus-operator#6028 started seeing verbose logging in admission webhook pods like: `ts=2023-11-06T01:50:34.601774794Z caller=stdlib.go:105 caller=server.go:3215 msg="http: superfluous response.WriteHeader call from main.newSrv.func1 (main.go:173)" ` Go doc says If WriteHeader is not called explicitly, the first call to Write will trigger an implicit WriteHeader(http.StatusOK). This fix is to change the order of the method invocation so log doesn't complain about this Signed-off-by: Jayapriya Pai <slashpai9@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This change mitigates CVE-2023-44487 by disabling HTTP2 connections by default and forcing HTTP/1.1 until the Go standard library and golang.org/x/net are fully fixed. Right now, it is possible for authenticated and unauthenticated users to hold open HTTP2 connections and consume huge amounts of memory.
It is possible to revert back the change by using the
--web.enable-http2argument.Before this change:
After this change:
See also:
Type of change
What type of changes does your code introduce to the Prometheus operator? Put an
xin the box that apply.CHANGE(fix or feature that would cause existing functionality to not work as expected)FEATURE(non-breaking change which adds functionality)BUGFIX(non-breaking change which fixes an issue)ENHANCEMENT(non-breaking change which improves existing functionality)NONE(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)Changelog entry
Please put a one-line changelog entry below. This will be copied to the changelog file during the release process.