Bug 1193597 (CVE-2021-44716) - VUL-0: CVE-2021-44716: go1.16,go1.17, grafana: net/http: limit growth of header canonicalization cache
Summary: VUL-0: CVE-2021-44716: go1.16,go1.17, grafana: net/http: limit growth of head...
Status: RESOLVED FIXED
Alias: CVE-2021-44716
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: E-Mail List
QA Contact: E-mail List
URL: https://smash.suse.de/issue/317012/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-44716:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-09 22:15 UTC by Jeff Kowalczyk
Modified: 2023-11-02 13:15 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
rfrohl: needinfo? (cloud-bugs)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Kowalczyk 2021-12-09 22:15:17 UTC
An attacker can cause unbounded memory growth in a Go server accepting HTTP/2 requests.

For users who cannot immediately update to the new release, setting the GODEBUG=http2server=0 environment variable before calling Serve will disable HTTP/2 unless it was manually configured through the golang.org/x/net/http2 package.

This issue is also fixed in golang.org/x/net/http2 v0.0.0-20211209124913-491a49abca63, for users manually configuring HTTP/2.

Thank you to murakmii for reporting this issue.

This is CVE-2021-44716 and Go issue go#50058.


References:

https://github.com/golang/go/issues/50058
Comment 1 OBSbugzilla Bot 2021-12-10 00:10:18 UTC
This is an autogenerated message for OBS integration:
This bug (1193597) was mentioned in
https://build.opensuse.org/request/show/938752 Factory / go1.16
https://build.opensuse.org/request/show/938755 Factory / go1.17
Comment 3 Swamp Workflow Management 2021-12-23 14:37:42 UTC
openSUSE-SU-2021:4186-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1193597,1193598
CVE References: CVE-2021-44716,CVE-2021-44717
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.17-1.17.5-1.14.2
Comment 4 Swamp Workflow Management 2021-12-23 14:43:53 UTC
SUSE-SU-2021:4169-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1193597,1193598
CVE References: CVE-2021-44716,CVE-2021-44717
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    go1.16-1.16.12-1.37.2
SUSE Manager Retail Branch Server 4.1 (src):    go1.16-1.16.12-1.37.2
SUSE Manager Proxy 4.1 (src):    go1.16-1.16.12-1.37.2
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    go1.16-1.16.12-1.37.2
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    go1.16-1.16.12-1.37.2
SUSE Linux Enterprise Server 15-SP2-BCL (src):    go1.16-1.16.12-1.37.2
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.16-1.16.12-1.37.2
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.16-1.16.12-1.37.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    go1.16-1.16.12-1.37.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    go1.16-1.16.12-1.37.2
SUSE Enterprise Storage 7 (src):    go1.16-1.16.12-1.37.2
SUSE CaaS Platform 4.5 (src):    go1.16-1.16.12-1.37.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-23 14:48:36 UTC
openSUSE-SU-2021:4169-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1193597,1193598
CVE References: CVE-2021-44716,CVE-2021-44717
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    go1.16-1.16.12-1.37.2
Comment 6 Swamp Workflow Management 2021-12-23 15:00:56 UTC
SUSE-SU-2021:4186-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1190649,1193597,1193598
CVE References: CVE-2021-44716,CVE-2021-44717
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    go1.17-1.17.5-1.14.2
SUSE Manager Retail Branch Server 4.1 (src):    go1.17-1.17.5-1.14.2
SUSE Manager Proxy 4.1 (src):    go1.17-1.17.5-1.14.2
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    go1.17-1.17.5-1.14.2
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    go1.17-1.17.5-1.14.2
SUSE Linux Enterprise Server 15-SP2-BCL (src):    go1.17-1.17.5-1.14.2
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    go1.17-1.17.5-1.14.2
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    go1.17-1.17.5-1.14.2
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    go1.17-1.17.5-1.14.2
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    go1.17-1.17.5-1.14.2
SUSE Enterprise Storage 7 (src):    go1.17-1.17.5-1.14.2
SUSE CaaS Platform 4.5 (src):    go1.17-1.17.5-1.14.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2021-12-26 17:18:27 UTC
openSUSE-SU-2021:1626-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1182345,1193597,1193598
CVE References: CVE-2021-44716,CVE-2021-44717
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    go1.16-1.16.12-lp152.20.1
Comment 10 Darragh O'Reilly 2022-02-15 15:46:40 UTC
Fix accepted into SOC 9 staging

https://build.suse.de/package/show/Devel:Cloud:9:Staging/grafana
Comment 13 Christian Almeida de Oliveira 2022-04-22 09:52:22 UTC
Hi Jeff, anything else to be done here? SOC part is done.
Cheers,
Christian
Comment 14 Jeff Kowalczyk 2022-04-22 15:17:41 UTC
(In reply to Christian Almeida de Oliveira from comment #13)
> Hi Jeff, anything else to be done here? SOC part is done.

go1.17 submissions containing the fix are in Factory and SLE codestreams. go1.18 inherits those fixes. I think the issue is ready to close.
Comment 16 Swamp Workflow Management 2022-05-18 19:16:53 UTC
SUSE-SU-2022:1729-1: An update that solves 17 vulnerabilities, contains two features and has one errata is now available.

Category: security (important)
Bug References: 1118088,1179534,1184177,1186380,1189390,1189794,1192070,1192073,1192075,1193597,1193688,1193752,1194521,1194551,1194552,1194952,1194954,1199138
CVE References: CVE-2018-19787,CVE-2020-27783,CVE-2021-28957,CVE-2021-38155,CVE-2021-40085,CVE-2021-41182,CVE-2021-41183,CVE-2021-41184,CVE-2021-43813,CVE-2021-43818,CVE-2021-44716,CVE-2022-22815,CVE-2022-22816,CVE-2022-22817,CVE-2022-23451,CVE-2022-23452,CVE-2022-29970
JIRA References: SOC-11620,SOC-11621
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, rubygem-sinatra-1.4.6-4.3.1
SUSE OpenStack Cloud 9 (src):    ardana-barbican-9.0+git.1644879908.8a641c1-3.13.1, grafana-6.7.4-3.26.1, openstack-barbican-7.0.1~dev24-3.14.1, openstack-cinder-13.0.10~dev24-3.34.2, openstack-heat-gbp-14.0.1~dev4-3.9.1, openstack-horizon-plugin-gbp-ui-14.0.1~dev3-3.9.1, openstack-ironic-11.1.5~dev18-3.28.2, openstack-keystone-14.2.1~dev9-3.28.2, openstack-neutron-13.0.8~dev206-3.40.1, openstack-neutron-gbp-14.0.1~dev33-3.31.1, python-Pillow-5.2.0-3.17.1, python-XStatic-jquery-ui-1.13.0.1-4.3.1, python-lxml-4.2.4-3.3.1, release-notes-suse-openstack-cloud-9.20220413-3.30.1, venv-openstack-barbican-7.0.1~dev24-3.35.2, venv-openstack-cinder-13.0.10~dev24-3.38.1, venv-openstack-designate-7.0.2~dev2-3.35.1, venv-openstack-glance-17.0.1~dev30-3.33.1, venv-openstack-heat-11.0.4~dev4-3.35.1, venv-openstack-horizon-14.1.1~dev11-4.39.1, venv-openstack-ironic-11.1.5~dev18-4.33.1, venv-openstack-keystone-14.2.1~dev9-3.36.1, venv-openstack-magnum-7.2.1~dev1-4.35.1, venv-openstack-manila-7.4.2~dev60-3.41.1, venv-openstack-monasca-2.7.1~dev10-3.37.1, venv-openstack-monasca-ceilometer-1.8.2~dev3-3.35.1, venv-openstack-neutron-13.0.8~dev206-6.39.1, venv-openstack-nova-18.3.1~dev91-3.39.1, venv-openstack-octavia-3.2.3~dev7-4.35.1, venv-openstack-sahara-9.0.2~dev15-3.35.1, venv-openstack-swift-2.19.2~dev48-2.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Robert Frohl 2022-08-03 09:36:50 UTC
Our tracking shows this as still missing for:

- SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/grafana
- SUSE:SLE-15-SP1:Update:Products:SES6:Update/grafana

ping @cloud-bugs and @ceph-bugs
Comment 22 Tatjana Dehler 2022-09-19 10:12:45 UTC
I opened https://build.suse.de/request/show/280230 to fix the CVE (and also
https://bugzilla.suse.com/show_bug.cgi?id=1201539) in SES 6.

Please note: https://build.suse.de/request/show/280223 and https://build.suse.de/request/show/280229 are belonging to the fix. They need to go in first. Otherwise the plugins will stop working in Grafana 8.x.

Also note: the changes file doesn't explicitly mention this CVE because:
1. It's not part of the changelog in OBS and I didn't want to break the consistency and cause conflicts.
2. It doesn't fix the issue directly. It only uses a Go version that contains the fix.
I hope that's okay.
Comment 23 Swamp Workflow Management 2022-09-22 19:21:14 UTC
SUSE-SU-2022:3338-1: An update that fixes 7 vulnerabilities, contains one feature is now available.

Category: security (moderate)
Bug References: 1157665,1191454,1193597,1197818,1198398,1201186
CVE References: CVE-2019-11287,CVE-2020-1734,CVE-2021-39226,CVE-2021-44716,CVE-2022-24790,CVE-2022-28346,CVE-2022-34265
JIRA References: SOC-11662
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, rubygem-puma-2.16.0-3.18.1
SUSE OpenStack Cloud 8 (src):    ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-cobbler-8.0+git.1660773402.d845a45-3.47.1, grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, venv-openstack-heat-9.0.8~dev22-12.45.1, venv-openstack-horizon-12.0.5~dev6-14.48.1, venv-openstack-murano-4.0.2~dev3-12.38.1
HPE Helion Openstack 8 (src):    ardana-ansible-8.0+git.1660773729.3789a6d-3.85.1, ardana-cobbler-8.0+git.1660773402.d845a45-3.47.1, grafana-6.7.4-4.23.1, openstack-heat-templates-0.0.0+git.1654529662.75fa04a-3.27.1, openstack-murano-4.0.2~dev3-3.12.1, openstack-murano-doc-4.0.2~dev3-3.12.1, python-Django-1.11.29-3.42.1, rabbitmq-server-3.6.16-3.13.1, venv-openstack-heat-9.0.8~dev22-12.45.1, venv-openstack-horizon-hpe-12.0.5~dev6-14.48.1, venv-openstack-murano-4.0.2~dev3-12.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Christian Almeida de Oliveira 2022-09-27 13:02:37 UTC
SOC 8 and SOC 9 fixes released.
Comment 26 OBSbugzilla Bot 2023-11-02 13:15:17 UTC
This is an autogenerated message for OBS integration:
This bug (1193597) was mentioned in
https://build.opensuse.org/request/show/1122671 Backports:SLE-12 / go1.17