From 26a0b1655aef6646018fc429b5ba2da5fcfd5fe7 Mon Sep 17 00:00:00 2001
From: Simon Pasquier <spasquie@redhat.com>
Date: Thu, 19 Oct 2023 14:47:34 +0200
Subject: [PATCH] fix: force HTTP/1.1 connections

This change mitigates CVE-2023-44487 by disabling HTTP2 and forcing HTTP/1.1
until the Go standard library and golang.org/x/net are fully fixed. Right now,
it is possible for authenticated and unauthenticated users to hold open HTTP2
connections and consume huge amounts of memory.

Before this change:

```
curl -kv https://localhost:8443/metrics
*   Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
[...]
* ALPN: server accepted h2
[...]
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /metrics]
* h2h3 [:scheme: https]
* h2h3 [:authority: localhost:8443]
* h2h3 [user-agent: curl/8.0.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5594d4614b10)
[...]
> GET /metrics HTTP/2
[...]
```

After this change:

```
curl -kv https://localhost:8443/metrics
*   Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
[...]
* ALPN: server accepted http/1.1
[...]
* using HTTP/1.1
> GET /metrics HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/8.0.1
> Accept: */*
[...]
< HTTP/1.1 200 OK
[...]
```

See also:
* https://github.com/kubernetes/kubernetes/pull/121120
* https://github.com/kubernetes/kubernetes/issues/121197
* https://github.com/golang/go/issues/63417#issuecomment-1758858612

Signed-off-by: Simon Pasquier <spasquie@redhat.com>
---
 pkg/server/server.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkg/server/server.go b/pkg/server/server.go
index 548e4b048e8..f61f1199f24 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -54,6 +54,15 @@ func NewTLSConfig(logger log.Logger, certFile, keyFile, clientCAFile, minVersion
 	}
 
 	tlsCfg.MinVersion = version
+	// Mitigate CVE-2023-44487 by disabling HTTP2 and forcing HTTP/1.1 until
+	// the Go standard library and golang.org/x/net are fully fixed.
+	// Right now, it is possible for authenticated and unauthenticated users to
+	// hold open HTTP2 connections and consume huge amounts of memory.
+	// See:
+	// * https://github.com/kubernetes/kubernetes/pull/121120
+	// * https://github.com/kubernetes/kubernetes/issues/121197
+	// * https://github.com/golang/go/issues/63417#issuecomment-1758858612
+	tlsCfg.NextProtos = []string{"http/1.1"}
 
 	cipherSuiteIDs, err := flag.TLSCipherSuites(cipherSuites)
 	if err != nil {