Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Spike] Check if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset) #1315

Closed
Tracked by #1303
rm3l opened this issue Oct 27, 2023 · 2 comments
Closed
Tracked by #1303

[Spike] Check if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset) #1315

rm3l opened this issue Oct 27, 2023 · 2 comments
Assignees
@rm3l
Labels
kind/task

Comments

@rm3l
Copy link
Member

rm3l commented Oct 27, 2023
edited
Loading

/kind task

As part of #1303, we'll need to bump a few of our dependencies across several repos.
But even doing so might not be sufficient to mitigate the HTTP/2 Rapid Reset vuln (CVE-2023-44487).
The scope of this issue is to check whether we also need to explicitly disable HTTP/2 as an additional safety measure.

If the answer is yes, we'll need to create follow-up issues.
@rm3l rm3l mentioned this issue Oct 27, 2023
Closed
9 tasks
@rm3l rm3l changed the title Check if we need to explicitly disable HTTP/2 [Migitatation of CVE-2023-44487] Check if we need to explicitly disable HTTP/2 Oct 27, 2023
@rm3l rm3l added the kind/task label Oct 27, 2023
@rm3l rm3l changed the title [Migitatation of CVE-2023-44487] Check if we need to explicitly disable HTTP/2 Check if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 Oct 27, 2023
@rm3l rm3l changed the title Check if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 Check if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset vuln) Oct 27, 2023
@rm3l rm3l changed the title Check if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset vuln) Check if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset) Oct 27, 2023
@rm3l rm3l moved this to Backlog in Devfile Project Oct 27, 2023
@rm3l rm3l changed the title Check if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset) [Spike] Check if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset) Oct 27, 2023
@michael-valdron michael-valdron moved this from Backlog to To Do 📝 in Devfile Project Oct 31, 2023
@rm3l rm3l moved this from To Do 📝 to In Progress 🚧 in Devfile Project Nov 2, 2023
@rm3l
Copy link
Member Author

rm3l commented Nov 9, 2023
edited
Loading

The results of this investigation work have been shared in a doc titled [Analysis] Investigate if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset) (under the Security folder in the Devfile Services team shared drive).

TL;DR
It is strongly recommended, as a mitigation measure, to disable HTTP/2 endpoints if not needed: https://access.redhat.com/security/cve/CVE-2023-44487
So I think it makes sense, as an additional safety measure, to do so where possible.

And from my research, there seems to be currently only one repo where we need to do so:

  • devfile/registry-support: in index/server/pkg/server/index.go, where an HTTP Server is started.

I'm marking this issue as done and will create a follow-up issue to make the necessary changes in devfile/registry-support.

The steps for disabling the HTTP/2 protocol in net/http are documented in https://pkg.go.dev/net/http#hdr-HTTP_2

/close

EDIT: #1342 created

@openshift-ci openshift-ci bot closed this as completed Nov 9, 2023
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Nov 9, 2023

@rm3l: Closing this issue.

In response to this:

The results of this investigation work have been shared in a doc titled [Analysis] Investigate if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset) (under the Security folder in the Devfile Services team shared drive).

TL;DR
It is strongly recommended, as one of the possible mitigation measure, to disable HTTP/2 endpoints if not needed: https://access.redhat.com/security/cve/CVE-2023-44487
So I think it might make sense, as an additional safety measure, to do so where possible.

And from my research, there seems to be currently only one repo where we need to do so:

  • devfile/registry-support: in index/server/pkg/server/index.go, where an HTTP Server is started.

I'm marking this issue as done and will create a follow-up issue to make the necessary changes in devfile/registry-support.

The steps for disabling the HTTP/2 protocol in net/http are documented in https://pkg.go.dev/net/http#hdr-HTTP_2

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-project-automation github-project-automation bot moved this from In Progress 🚧 to Done ✅ in Devfile Project Nov 9, 2023
@rm3l rm3l mentioned this issue Nov 9, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rm3l rm3l

Labels
kind/task
Projects
Devfile Project
Status: Done ✅
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rm3l