Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCPBUGS-20380: [release-4.14] UPSTREAM: 121120: Prevent rapid reset http2 DOS on API server #1752

Closed
wants to merge 1 commit into from
Closed

OCPBUGS-20380: [release-4.14] UPSTREAM: 121120: Prevent rapid reset http2 DOS on API server #1752

wants to merge 1 commit into from

Commits on Oct 11, 2023

  1. UPSTREAM: 121120: Prevent rapid reset http2 DOS on API server 

    This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when combined with
golang/net@b225e7c

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(or possibly slightly worse).

For all other clients, we detect if the request ended via a timeout
before the context's deadline.  This likely means that the client
reset the http2 stream early.  We close the connection in this case
as well.  To mitigate issues related to clients creating more
streams than the configured max, we rely on the golang.org/x/net fix
noted above.  The Kube API server now uses a max stream of 100
instead of 250 (this matches the Go http2 client default).  This
lowers the abuse limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>
Signed-off-by: Andy Goldstein <andy.goldstein@redhat.com>
    @enj @ncdc
    enj authored and ncdc committed Oct 11, 2023
    Configuration menu
    Copy the full SHA
    36ce068 View commit details
    Browse the repository at this point in the history