Bug 1213229 (CVE-2023-29406)

Summary: VUL-0: CVE-2023-29406: go1.19,go1.20: net/http: insufficient sanitization of Host header
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Containers Team <containers-bugowner>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: asarai, containers-bugowner, danish.prakash, fvogt, meissner, rfrohl, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372083/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-29406:4.8:(AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jeff Kowalczyk 2023-07-11 21:05:47 UTC 
The HTTP/1 client did not fully validate the contents of the Host header. A maliciously crafted Host header could inject additional headers or entire requests. The HTTP/1 client now refuses to send requests containing an invalid Request.Host or Request.URL.Host value.

Thanks to Bartek Nowotarski for reporting this issue.

Includes security fixes for CVE-2023-29406 and Go issue https://go.dev/issue/60374
Comment 1 OBSbugzilla Bot 2023-07-12 00:35:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1213229) was mentioned in
https://build.opensuse.org/request/show/1098260 Factory / go1.19
https://build.opensuse.org/request/show/1098261 Factory / go1.20
Comment 3 Thomas Leroy 2023-07-12 09:30:21 UTC 
Thanks for the report Jeff.

Some IBS packages use net/http. As far I can see, it was once shipped with the Go package, but it seems to be shipped with the golang.org/x/net/http module now.

Here is the list of IBS packages supposed to vendor x/net/http:
SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/grafana,7,golang.org/x/net/http/httpguts,v0.0.0-20190923162816-aa69164e4478
SUSE:SLE-12-SP3:Update/prometheus-ha_cluster_exporter,9,golang.org/x/net/http/httpguts,v0.0.0-20220412020605-290c469a71a5
SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/grafana,9,golang.org/x/net/http/httpguts,v0.0.0-20190923162816-aa69164e4478
SUSE:SLE-12:Update/golang-github-prometheus-prometheus,1,golang.org/x/net/http/httpguts,v0.0.0-20211123203042-d83791d6bcd9
SUSE:SLE-12:Update/grafana,1,golang.org/x/net/http/httpguts,v0.0.0-20220624214902-1bab6f366d9e
SUSE:SLE-12:Update/prometheus-blackbox_exporter,5,golang.org/x/net/http/httpguts,v0.0.0-20210505214959-0714010a04ed
SUSE:SLE-15-SP1:Update/golang-github-prometheus-prometheus,1,golang.org/x/net/http/httpguts,v0.0.0-20211123203042-d83791d6bcd9
SUSE:SLE-15-SP1:Update:Products:CASP40:Update/etcd,5,golang.org/x/net/http/httpguts,v0.0.0-20190813141303-74dc4d7220e7
SUSE:SLE-15-SP2:Update/grafana,1,golang.org/x/net/http/httpguts,v0.0.0-20220624214902-1bab6f366d9e
SUSE:SLE-15-SP2:Update/prometheus-ha_cluster_exporter,8,golang.org/x/net/http/httpguts,v0.0.0-20220412020605-290c469a71a5
SUSE:SLE-15-SP3:Update/kubernetes1.24,1,go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp,v0.20.0
SUSE:SLE-15-SP4:Update/cosign,3,golang.org/x/net/http/httpguts,v0.0.0-20220826154423-83b083e8dc8b
SUSE:SLE-15-SP4:Update/kubernetes1.24,1,go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp,v0.20.0
SUSE:SLE-15-SP4:Update:Products:ElementalTeal5.3:Update/k9s,2,golang.org/x/net/http/httpguts,v0.5.0
SUSE:SLE-15-SP5:Update/kubernetes1.24,1,go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp,v0.20.0
SUSE:SLE-15:Update/golang-github-prometheus-prometheus,1,golang.org/x/net/http/httpguts,v0.0.0-20211123203042-d83791d6bcd9
SUSE:SLE-15:Update/grafana,1,golang.org/x/net/http/httpguts,v0.0.0-20220624214902-1bab6f366d9e
SUSE:SLE-15:Update/helm,6,golang.org/x/net/http/httpguts,v0.5.0
SUSE:SLE-15:Update/prometheus-blackbox_exporter,5,golang.org/x/net/http/httpguts,v0.0.0-20210505214959-0714010a04ed
SUSE:SLE-15:Update/prometheus-ha_cluster_exporter,9,golang.org/x/net/http/httpguts,v0.0.0-20220412020605-290c469a71a5

However, it seems that some of those doesn't embed the the vulnerable files of the module. So I will manually check which one of those are vendoring the vulnerable code, and which one doesn't (thus should be fixed by just being rebuild with a fixed Go).
Comment 4 Thomas Leroy 2023-07-12 11:48:54 UTC 
(In reply to Thomas Leroy from comment #3)
> Thanks for the report Jeff.
> 
> Some IBS packages use net/http. As far I can see, it was once shipped with
> the Go package, but it seems to be shipped with the golang.org/x/net/http
> module now.
> 
> Here is the list of IBS packages supposed to vendor x/net/http:
> SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/grafana,7,golang.org/x/net/
> http/httpguts,v0.0.0-20190923162816-aa69164e4478
> SUSE:SLE-12-SP3:Update/prometheus-ha_cluster_exporter,9,golang.org/x/net/
> http/httpguts,v0.0.0-20220412020605-290c469a71a5
> SUSE:SLE-12-SP4:Update:Products:Cloud9:Update/grafana,9,golang.org/x/net/
> http/httpguts,v0.0.0-20190923162816-aa69164e4478
> SUSE:SLE-12:Update/golang-github-prometheus-prometheus,1,golang.org/x/net/
> http/httpguts,v0.0.0-20211123203042-d83791d6bcd9
> SUSE:SLE-12:Update/grafana,1,golang.org/x/net/http/httpguts,v0.0.0-
> 20220624214902-1bab6f366d9e
> SUSE:SLE-12:Update/prometheus-blackbox_exporter,5,golang.org/x/net/http/
> httpguts,v0.0.0-20210505214959-0714010a04ed
> SUSE:SLE-15-SP1:Update/golang-github-prometheus-prometheus,1,golang.org/x/
> net/http/httpguts,v0.0.0-20211123203042-d83791d6bcd9
> SUSE:SLE-15-SP1:Update:Products:CASP40:Update/etcd,5,golang.org/x/net/http/
> httpguts,v0.0.0-20190813141303-74dc4d7220e7
> SUSE:SLE-15-SP2:Update/grafana,1,golang.org/x/net/http/httpguts,v0.0.0-
> 20220624214902-1bab6f366d9e
> SUSE:SLE-15-SP2:Update/prometheus-ha_cluster_exporter,8,golang.org/x/net/
> http/httpguts,v0.0.0-20220412020605-290c469a71a5
> SUSE:SLE-15-SP3:Update/kubernetes1.24,1,go.opentelemetry.io/contrib/
> instrumentation/net/http/otelhttp,v0.20.0
> SUSE:SLE-15-SP4:Update/cosign,3,golang.org/x/net/http/httpguts,v0.0.0-
> 20220826154423-83b083e8dc8b
> SUSE:SLE-15-SP4:Update/kubernetes1.24,1,go.opentelemetry.io/contrib/
> instrumentation/net/http/otelhttp,v0.20.0
> SUSE:SLE-15-SP4:Update:Products:ElementalTeal5.3:Update/k9s,2,golang.org/x/
> net/http/httpguts,v0.5.0
> SUSE:SLE-15-SP5:Update/kubernetes1.24,1,go.opentelemetry.io/contrib/
> instrumentation/net/http/otelhttp,v0.20.0
> SUSE:SLE-15:Update/golang-github-prometheus-prometheus,1,golang.org/x/net/
> http/httpguts,v0.0.0-20211123203042-d83791d6bcd9
> SUSE:SLE-15:Update/grafana,1,golang.org/x/net/http/httpguts,v0.0.0-
> 20220624214902-1bab6f366d9e
> SUSE:SLE-15:Update/helm,6,golang.org/x/net/http/httpguts,v0.5.0
> SUSE:SLE-15:Update/prometheus-blackbox_exporter,5,golang.org/x/net/http/
> httpguts,v0.0.0-20210505214959-0714010a04ed
> SUSE:SLE-15:Update/prometheus-ha_cluster_exporter,9,golang.org/x/net/http/
> httpguts,v0.0.0-20220412020605-290c469a71a5
> 
> However, it seems that some of those doesn't embed the the vulnerable files
> of the module. So I will manually check which one of those are vendoring the
> vulnerable code, and which one doesn't (thus should be fixed by just being
> rebuild with a fixed Go).

My bad. This is affecting the net/http native library shipped with the Go package, and *not* the golang.org/x/net module, embedded in the the packages mentioned above. So rebuilding packages with a fixed Go version will fix the packages using net/http.
Comment 5 Fabian Vogt 2023-07-17 06:51:10 UTC 
Apparently the fix breaks docker, image downloads fail with "http: invalid Host header": https://openqa.opensuse.org/tests/3434477#step/image_docker/94
Comment 6 Fabian Vogt 2023-07-17 06:53:40 UTC 
(In reply to Fabian Vogt from comment #5)
> Apparently the fix breaks docker, image downloads fail with "http: invalid
> Host header": https://openqa.opensuse.org/tests/3434477#step/image_docker/94

Docker needs https://github.com/moby/moby/pull/45942
Comment 7 Maintenance Automation 2023-07-17 09:37:04 UTC 
SUSE-SU-2023:2846-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (moderate)
Bug References: 1206346, 1213229
CVE References: CVE-2023-29406
Sources used:
Development Tools Module 15-SP4 (src): go1.20-1.20.6-150000.1.17.1
Development Tools Module 15-SP5 (src): go1.20-1.20.6-150000.1.17.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.20-1.20.6-150000.1.17.1
openSUSE Leap 15.4 (src): go1.20-1.20.6-150000.1.17.1
openSUSE Leap 15.5 (src): go1.20-1.20.6-150000.1.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-07-17 09:37:06 UTC 
SUSE-SU-2023:2845-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (moderate)
Bug References: 1200441, 1213229
CVE References: CVE-2023-29406
Sources used:
openSUSE Leap 15.4 (src): go1.19-1.19.11-150000.1.37.1
openSUSE Leap 15.5 (src): go1.19-1.19.11-150000.1.37.1
Development Tools Module 15-SP4 (src): go1.19-1.19.11-150000.1.37.1
Development Tools Module 15-SP5 (src): go1.19-1.19.11-150000.1.37.1
SUSE Linux Enterprise Real Time 15 SP3 (src): go1.19-1.19.11-150000.1.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Fabian Vogt 2023-07-17 12:16:59 UTC 
(In reply to Fabian Vogt from comment #6)
> (In reply to Fabian Vogt from comment #5)
> > Apparently the fix breaks docker, image downloads fail with "http: invalid
> > Host header": https://openqa.opensuse.org/tests/3434477#step/image_docker/94
> 
> Docker needs https://github.com/moby/moby/pull/45942

Adding containers-bugowner to CC. Please apply ^ where necessary.
Comment 12 Fabian Vogt 2023-07-21 06:44:17 UTC 
(In reply to Fabian Vogt from comment #9)
> (In reply to Fabian Vogt from comment #6)
> > (In reply to Fabian Vogt from comment #5)
> > > Apparently the fix breaks docker, image downloads fail with "http: invalid
> > > Host header": https://openqa.opensuse.org/tests/3434477#step/image_docker/94
> > 
> > Docker needs https://github.com/moby/moby/pull/45942
> 
> Adding containers-bugowner to CC. Please apply ^ where necessary.

Ping.
Comment 13 Marcus Meissner 2023-07-25 12:23:02 UTC 
the current sets of docker updates was declined as it did not contain the fixes.
Comment 14 Fabian Vogt 2023-07-25 12:32:28 UTC 
(In reply to Marcus Meissner from comment #13)
> the current sets of docker updates was declined as it did not contain the
> fixes.

FYI, I also pinged Danish about this.
Comment 15 OBSbugzilla Bot 2023-07-25 20:15:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1213229) was mentioned in
https://build.opensuse.org/request/show/1100698 Factory / docker
Comment 16 Maintenance Automation 2023-07-27 12:48:11 UTC 
SUSE-SU-2023:3002-1: An update that solves one vulnerability and has one fix can now be installed.

Category: security (moderate)
Bug References: 1206346, 1213229
CVE References: CVE-2023-29406
Sources used:
openSUSE Leap 15.4 (src): go1.20-openssl-1.20.6.1-150000.1.8.1
openSUSE Leap 15.5 (src): go1.20-openssl-1.20.6.1-150000.1.8.1
Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.6.1-150000.1.8.1
Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.6.1-150000.1.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Robert Frohl 2023-08-21 09:34:10 UTC 
re-assigning to docker maintainer list
Comment 19 Maintenance Automation 2023-09-05 16:30:18 UTC 
SUSE-SU-2023:3536-1: An update that solves three vulnerabilities and has five security fixes can now be installed.

Category: security (moderate)
Bug References: 1210797, 1212368, 1213120, 1213229, 1213500, 1214107, 1214108, 1214109
CVE References: CVE-2023-28840, CVE-2023-28841, CVE-2023-28842
Sources used:
openSUSE Leap 15.4 (src): docker-24.0.5_ce-150000.185.1
openSUSE Leap 15.5 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Micro 5.3 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Micro 5.4 (src): docker-24.0.5_ce-150000.185.1
Containers Module 15-SP4 (src): docker-24.0.5_ce-150000.185.1
Containers Module 15-SP5 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): docker-24.0.5_ce-150000.185.1
SUSE Enterprise Storage 7.1 (src): docker-24.0.5_ce-150000.185.1
SUSE CaaS Platform 4.0 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Micro 5.1 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Micro 5.2 (src): docker-24.0.5_ce-150000.185.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): docker-24.0.5_ce-150000.185.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2023-09-27 20:30:13 UTC 
SUSE-SU-2023:3841-1: An update that solves two vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1200441, 1213229, 1213880, 1215090
CVE References: CVE-2023-29406, CVE-2023-29409
Sources used:
openSUSE Leap 15.4 (src): go1.19-openssl-1.19.13.1-150000.1.8.1
openSUSE Leap 15.5 (src): go1.19-openssl-1.19.13.1-150000.1.8.1
Development Tools Module 15-SP4 (src): go1.19-openssl-1.19.13.1-150000.1.8.1
Development Tools Module 15-SP5 (src): go1.19-openssl-1.19.13.1-150000.1.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Maintenance Automation 2023-10-18 12:30:17 UTC 
SUSE-RU-2023:4107-1: An update that has nine fixes can now be installed.

Category: recommended (moderate)
Bug References: 1208074, 1210141, 1210797, 1211578, 1212368, 1213120, 1213229, 1213500, 1215323
Sources used:
SUSE Manager Client Tools for SLE 12 (src): sysuser-tools-2.0-1.7.1
Containers Module 12 (src): runc-1.1.9-16.37.1, containerd-1.7.7-16.85.1, sysuser-tools-2.0-1.7.1, docker-24.0.6_ce-98.100.2
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): sysuser-tools-2.0-1.7.1
SUSE Linux Enterprise Server 12 SP5 (src): sysuser-tools-2.0-1.7.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): sysuser-tools-2.0-1.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Maintenance Automation 2023-12-20 20:30:13 UTC 
SUSE-SU-2023:4936-1: An update that solves three vulnerabilities, contains one feature and has five security fixes can now be installed.

Category: security (important)
Bug References: 1170415, 1170446, 1178760, 1210141, 1213229, 1213500, 1215323, 1217513
CVE References: CVE-2020-12912, CVE-2020-8694, CVE-2020-8695
Jira References: PED-6180
Sources used:
openSUSE Leap Micro 5.3 (src): docker-24.0.7_ce-150000.190.4
openSUSE Leap Micro 5.4 (src): docker-24.0.7_ce-150000.190.4
openSUSE Leap 15.4 (src): rootlesskit-1.1.1-150000.1.3.3, docker-24.0.7_ce-150000.190.4
openSUSE Leap 15.5 (src): rootlesskit-1.1.1-150000.1.3.3, docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Micro for Rancher 5.3 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Micro 5.3 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Micro for Rancher 5.4 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Micro 5.4 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Micro 5.5 (src): docker-24.0.7_ce-150000.190.4
Containers Module 15-SP4 (src): rootlesskit-1.1.1-150000.1.3.3, docker-24.0.7_ce-150000.190.4
Containers Module 15-SP5 (src): rootlesskit-1.1.1-150000.1.3.3, docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): docker-24.0.7_ce-150000.190.4
SUSE Enterprise Storage 7.1 (src): docker-24.0.7_ce-150000.190.4
SUSE CaaS Platform 4.0 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Micro 5.1 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Micro 5.2 (src): docker-24.0.7_ce-150000.190.4
SUSE Linux Enterprise Micro for Rancher 5.2 (src): docker-24.0.7_ce-150000.190.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.