Skip to content

Commit

Permalink
fix: force HTTP/1.1 connections
Browse files Browse the repository at this point in the history 
This change mitigates CVE-2023-44487 by disabling HTTP2 and forcing HTTP/1.1
until the Go standard library and golang.org/x/net are fully fixed. Right now,
it is possible for authenticated and unauthenticated users to hold open HTTP2
connections and consume huge amounts of memory.

Before this change:

```
curl -kv https://localhost:8443/metrics
*   Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
[...]
* ALPN: server accepted h2
[...]
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /metrics]
* h2h3 [:scheme: https]
* h2h3 [:authority: localhost:8443]
* h2h3 [user-agent: curl/8.0.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5594d4614b10)
[...]
> GET /metrics HTTP/2
[...]
```

After this change:

```
curl -kv https://localhost:8443/metrics
*   Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
[...]
* ALPN: server accepted http/1.1
[...]
* using HTTP/1.1
> GET /metrics HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/8.0.1
> Accept: */*
[...]
< HTTP/1.1 200 OK
[...]
```

See also:
* kubernetes/kubernetes#121120
* kubernetes/kubernetes#121197
* golang/go#63417 (comment)

Signed-off-by: Simon Pasquier <[email protected]>
  • Loading branch information
@simonpasquier
simonpasquier committed Oct 19, 2023
1 parent 6aefeaf commit 26a0b16
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions pkg/server/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,15 @@ func NewTLSConfig(logger log.Logger, certFile, keyFile, clientCAFile, minVersion
}

tlsCfg.MinVersion = version
// Mitigate CVE-2023-44487 by disabling HTTP2 and forcing HTTP/1.1 until
// the Go standard library and golang.org/x/net are fully fixed.
// Right now, it is possible for authenticated and unauthenticated users to
// hold open HTTP2 connections and consume huge amounts of memory.
// See:
// * https://github.com/kubernetes/kubernetes/pull/121120
// * https://github.com/kubernetes/kubernetes/issues/121197
// * https://github.com/golang/go/issues/63417#issuecomment-1758858612
tlsCfg.NextProtos = []string{"http/1.1"}

cipherSuiteIDs, err := flag.TLSCipherSuites(cipherSuites)
if err != nil {
Expand Down

0 comments on commit 26a0b16

Please sign in to comment.