Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) #57855

Closed
neild opened this issue Jan 17, 2023 · 13 comments
Closed

net/http: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) #57855

neild opened this issue Jan 17, 2023 · 13 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Go1.21

Comments

@neild
Copy link
Contributor

neild commented Jan 17, 2023
edited by prattmic

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

This issue is also fixed in golang.org/x/net/http2, for users manually configuring HTTP/2.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

This is a PRIVATE issue for CVE-2022-41723, tracked in http://b/262602307 and fixed by http://tg/1688184.
@neild neild added Security NeedsFix The path to resolution is known, but the work has not been done. labels Jan 17, 2023
@seankhliao seankhliao added this to the Go1.20 milestone Jan 20, 2023
@gopherbot gopherbot modified the milestones: Go1.20, Go1.21 Feb 1, 2023
@rolandshoemaker
Copy link
Member

@gopherbot please open backport issues.

This was referenced Feb 6, 2023
Closed
Closed
@gopherbot
Copy link

Backport issue(s) opened: #58355 (for 1.19), #58356 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot
Copy link

Change https://go.dev/cl/468118 mentions this issue: [release-branch.go1.19] net/http: update bundled golang.org/x/net/http2

@gopherbot
Copy link

Change https://go.dev/cl/468122 mentions this issue: [release-branch.go1.20] net/http: update bundled golang.org/x/net/http2

@gopherbot
Copy link

Change https://go.dev/cl/468135 mentions this issue: http2/hpack: avoid quadratic complexity in hpack decoding

gopherbot pushed a commit that referenced this issue Feb 14, 2023
@rolandshoemaker @gopherbot
[release-branch.go1.20] net/http: update bundled golang.org/x/net/http2
8e02cff 
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-41723
Fixes #58356
Updates #57855

Change-Id: I603886b5b76c16303dab1420d4ec8b7c7cdcf330
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728940
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/468122
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
gopherbot pushed a commit that referenced this issue Feb 14, 2023
@rolandshoemaker @gopherbot
[release-branch.go1.19] net/http: update bundled golang.org/x/net/http2
5c3e11b 
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-41723
Fixes #58355
Updates #57855

Change-Id: Ie870562a6f6e44e4e8f57db6a0dde1a41a2b090c
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728939
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/468118
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
@gopherbot
Copy link

Change https://go.dev/cl/468295 mentions this issue: all: update vendored golang.org/x/net

@prattmic prattmic changed the title security: fix CVE-2022-41723 net/http: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) Feb 14, 2023
gopherbot pushed a commit that referenced this issue Feb 14, 2023
@prattmic
all: update vendored golang.org/x/net
e2b620c 
Pull in HTTP/2 security fix:

    CL 468135: http2/hpack: avoid quadratic complexity in hpack decoding

For #57855

Change-Id: Id6b05dc52a1a585c41c6aff0c51665614fd5e215
Reviewed-on: https://go-review.googlesource.com/c/go/+/468295
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
@gopherbot
Copy link

Change https://go.dev/cl/468335 mentions this issue: [internal-branch.go1.19-vendor] http2/hpack: avoid quadratic complexity in hpack decoding

@gopherbot
Copy link

Change https://go.dev/cl/468336 mentions this issue: [internal-branch.go1.20-vendor] http2/hpack: avoid quadratic complexity in hpack decoding

gopherbot pushed a commit to golang/net that referenced this issue Feb 14, 2023
@neild @prattmic
[internal-branch.go1.19-vendor] http2/hpack: avoid quadratic complexi…
d99f623 
…ty in hpack decoding

When parsing a field literal containing two Huffman-encoded strings,
don't decode the first string until verifying all data is present.
Avoids forced quadratic complexity when repeatedly parsing a partial
field, repeating the Huffman decoding of the string on each iteration.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

Fixes golang/go#57855
Fixes CVE-2022-41723
For golang/go#58355

Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/468135
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 8e2b117)
Reviewed-on: https://go-review.googlesource.com/c/net/+/468335
gopherbot pushed a commit to golang/net that referenced this issue Feb 14, 2023
@neild @prattmic
[internal-branch.go1.20-vendor] http2/hpack: avoid quadratic complexi…
88ed8ca 
…ty in hpack decoding

When parsing a field literal containing two Huffman-encoded strings,
don't decode the first string until verifying all data is present.
Avoids forced quadratic complexity when repeatedly parsing a partial
field, repeating the Huffman decoding of the string on each iteration.

Thanks to Philippe Antoine (Catena cyber) for reporting this issue.

Fixes golang/go#57855
Fixes CVE-2022-41723
For golang/go#58356

Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/468135
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
(cherry picked from commit 8e2b117)
Reviewed-on: https://go-review.googlesource.com/c/net/+/468336
@gopherbot
Copy link

Change https://go.dev/cl/468302 mentions this issue: [release-branch.go1.20] all: update vendored golang.org/x/net

@gopherbot
Copy link

Change https://go.dev/cl/468303 mentions this issue: [release-branch.go1.19] all: update vendored golang.org/x/net

gopherbot pushed a commit that referenced this issue Feb 14, 2023
@prattmic @gopherbot
[release-branch.go1.19] all: update vendored golang.org/x/net
97fe3a2 
Update golang.org/x/net to the tip of internal-branch.go1.19-vendor to
include CL 468335.

The contents of that CL were already merged into this branch in CL
468118, so this CL just brings go.mod back in line to matching the
actual vendored content.

For #58355
For #57855

Change-Id: Ie952744a5b2249f0c05afb7f86bebf872734b09a
Reviewed-on: https://go-review.googlesource.com/c/go/+/468303
Run-TryBot: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
gopherbot pushed a commit that referenced this issue Feb 14, 2023
@prattmic @gopherbot
[release-branch.go1.20] all: update vendored golang.org/x/net
828b05c 
Update golang.org/x/net to the tip of internal-branch.go1.20-vendor to
include CL 468336.

The contents of that CL were already merged into this branch in CL
468122, so this CL just brings go.mod back in line to matching the
actual vendored content.

For #58356
For #57855

Change-Id: I6ee9483077630c11c725927f38f6b69a784106db
Reviewed-on: https://go-review.googlesource.com/c/go/+/468302
Run-TryBot: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
curtbushko added a commit to hashicorp/consul-dataplane that referenced this issue Feb 17, 2023
@curtbushko
Update golang.org/x/net from v0.4.0 (#81)
e06d57b 
- Update golang.org/x/net based on security scan
- This resolves vulnerability [CVE-2022-41723](golang/go#57855) in `x/net`
Rican7 added a commit to Rican7/define that referenced this issue Feb 18, 2023
@Rican7
Updating our dependencies for security purposes
e28b0a9 
- golang/go#57855
@Rican7 Rican7 mentioned this issue Feb 18, 2023
Merged
@dawn-minion dawn-minion mentioned this issue Feb 21, 2023
Closed
johanbrandhorst pushed a commit to Pryz/go that referenced this issue Feb 22, 2023
@prattmic @johanbrandhorst
all: update vendored golang.org/x/net
eb61fa2 
Pull in HTTP/2 security fix:

    CL 468135: http2/hpack: avoid quadratic complexity in hpack decoding

For golang#57855

Change-Id: Id6b05dc52a1a585c41c6aff0c51665614fd5e215
Reviewed-on: https://go-review.googlesource.com/c/go/+/468295
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
@Yoavast Yoavast mentioned this issue Feb 27, 2023
Open
romaindoumenc pushed a commit to TroutSoftware/go that referenced this issue Mar 3, 2023
@rolandshoemaker @romaindoumenc
[release-branch.go1.20] net/http: update bundled golang.org/x/net/http2
3e5c533 
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-41723
Fixes golang#58356
Updates golang#57855

Change-Id: I603886b5b76c16303dab1420d4ec8b7c7cdcf330
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1728940
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/468122
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Than McIntosh <thanm@google.com>
romaindoumenc pushed a commit to TroutSoftware/go that referenced this issue Mar 3, 2023
@prattmic @romaindoumenc
[release-branch.go1.20] all: update vendored golang.org/x/net
1aa28c0 
Update golang.org/x/net to the tip of internal-branch.go1.20-vendor to
include CL 468336.

The contents of that CL were already merged into this branch in CL
468122, so this CL just brings go.mod back in line to matching the
actual vendored content.

For golang#58356
For golang#57855

Change-Id: I6ee9483077630c11c725927f38f6b69a784106db
Reviewed-on: https://go-review.googlesource.com/c/go/+/468302
Run-TryBot: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
@benjsmi
Copy link

benjsmi commented Mar 3, 2023
edited

So, looking at https://pkg.go.dev/vuln/GO-2023-1571, it looks like the net/http is impacted even if or even though you update/upgrade any references to golang.org/x/net to v0.7.0... Right?

If we upgrade golang.org/x/net to v0.7.0 and leave Golang at, say, v1.18.x, are we still vulnerable to this?

@neild
Copy link
Contributor Author

neild commented Mar 3, 2023

If you upgrade golang.org/x/net to v0.7.0 and use http2.ConfigureServers/http2.ConfigureTransport to override the bundled HTTP/2, then you are not vulnerable.

Unfortunately, we don't have a good way for govulncheck to detect the case where the standard library's bundled HTTP/2 support is present but unused.

rajathagasthya added a commit to rajathagasthya/tanzu-framework that referenced this issue Mar 10, 2023
@rajathagasthya
Update golang.org/x/net to fix CVE-2022-4172
e837e7e 
Updated dependency to v0.8.0 for all modules in the repo.

CVE issue: golang/go#57855
rajathagasthya added a commit to rajathagasthya/tanzu-framework that referenced this issue Mar 10, 2023
@rajathagasthya
Update golang.org/x/net to fix CVE-2022-4172
564052a 
Updated dependency to v0.8.0 across all modules in the repo.

CVE issue: golang/go#57855
rajathagasthya added a commit to rajathagasthya/tanzu-framework that referenced this issue Mar 10, 2023
@rajathagasthya
Update golang.org/x/net to fix CVE-2022-4173
6649c04 
Updated dependency to v0.8.0 across all modules in the repo.

CVE issue: golang/go#57855
@rajathagasthya rajathagasthya mentioned this issue Mar 10, 2023
Merged
@ivgenys ivgenys mentioned this issue Mar 13, 2023
Closed
rajathagasthya added a commit to vmware-tanzu/tanzu-framework that referenced this issue Mar 17, 2023
@rajathagasthya
Update golang.org/x/net to fix CVE-2022-41723 (#4470)
a3d0d02 
Updated dependency to v0.8.0 across all modules in the repo.

CVE issue: golang/go#57855
@zafs23 zafs23 mentioned this issue Mar 21, 2023
Closed
m1zzx2 pushed a commit to vmware-tanzu/tanzu-framework that referenced this issue Mar 27, 2023
@rajathagasthya
Update golang.org/x/net to fix CVE-2022-41723 (#4470)
77d228e 
Updated dependency to v0.8.0 across all modules in the repo.

CVE issue: golang/go#57855
@bcmills bcmills mentioned this issue Mar 31, 2023
Closed
@bisonliao
Copy link

I use go 1.15,how should I do ? upgrade my go to 1.21? It will be a horrible mission. Can I just upgrade net package ? thank you.

@beltran-rubo beltran-rubo mentioned this issue May 15, 2023
Closed
@diogopcx diogopcx mentioned this issue Jun 27, 2023
Open
@apcxtest apcxtest mentioned this issue Aug 17, 2023
Closed
@KevinCiz KevinCiz mentioned this issue Oct 31, 2023
Closed
1 task
@golang golang locked and limited conversation to collaborators Apr 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Go1.21
Development

No branches or pull requests
6 participants
@neild @benjsmi @rolandshoemaker @gopherbot @seankhliao @bisonliao