Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release-4.11] Prevent rapid reset http2 DOS on API server #1755

Closed
wants to merge 1 commit into from

Conversation

ncdc
Copy link

@ncdc ncdc commented Oct 11, 2023

What type of PR is this?

/kind bug

What this PR does / why we need it:

Text from upstream PR kubernetes#121120:

This change fully addresses GHSA-qppj-fm5r-hxr3 and CVE-2023-39325 for the API server when combined with
golang/net@b225e7c

The changes to util/runtime are required because otherwise a large number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user), we simply no longer allow such clients to hold open http2 connections. They can use http2, but with the performance of http1 (or possibly slightly worse).

For all other clients, we detect if the request ended via a timeout before the context's deadline. This likely means that the client reset the http2 stream early. We close the connection in this case as well. To mitigate issues related to clients creating more streams than the configured max, we rely on the golang.org/x/net fix noted above. The Kube API server now uses a max stream of 100 instead of 250 (this matches the Go http2 client default). This lowers the abuse limit from 1000 to 400.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Address CVE-2023-44487 and CVE-2023-39325 for the API server.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


This change fully addresses CVE-2023-44487 and CVE-2023-39325 for
the API server when combined with
golang/net@b225e7c

The changes to util/runtime are required because otherwise a large
number of requests can get blocked on the time.Sleep calls.

For unauthenticated clients (either via 401 or the anonymous user),
we simply no longer allow such clients to hold open http2
connections.  They can use http2, but with the performance of http1
(or possibly slightly worse).

For all other clients, we detect if the request ended via a timeout
before the context's deadline.  This likely means that the client
reset the http2 stream early.  We close the connection in this case
as well.  To mitigate issues related to clients creating more
streams than the configured max, we rely on the golang.org/x/net fix
noted above.  The Kube API server now uses a max stream of 100
instead of 250 (this matches the Go http2 client default).  This
lowers the abuse limit from 1000 to 400.

Signed-off-by: Monis Khan <mok@microsoft.com>
@openshift-ci-robot openshift-ci-robot added the backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. label Oct 11, 2023
@openshift-ci-robot
Copy link

@ncdc: the contents of this pull request could not be automatically validated.

The following commits could not be validated and must be approved by a top-level approver:

Comment /validate-backports to re-evaluate validity of the upstream PRs, for example when they are merged upstream.

@openshift-ci openshift-ci bot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 11, 2023
@openshift-ci openshift-ci bot added the vendor-update Touching vendor dir or related files label Oct 11, 2023
@openshift-ci
Copy link

openshift-ci bot commented Oct 11, 2023

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ncdc
Once this PR has been reviewed and has the lgtm label, please assign mfojtik for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ncdc
Copy link
Author

ncdc commented Oct 11, 2023

/retest

1 similar comment
@ncdc
Copy link
Author

ncdc commented Oct 11, 2023

/retest

@openshift-ci
Copy link

openshift-ci bot commented Oct 11, 2023

@ncdc: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/verify-commits 8f9cc7b link true /test verify-commits
ci/prow/e2e-gcp 8f9cc7b link true /test e2e-gcp
ci/prow/verify 8f9cc7b link true /test verify

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@ncdc
Copy link
Author

ncdc commented Oct 13, 2023

Pulling into #1761

@ncdc ncdc closed this Oct 13, 2023
@ncdc ncdc deleted the 4.11/h2-dos branch October 13, 2023 12:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backports/unvalidated-commits Indicates that not all commits come to merged upstream PRs. kind/bug Categorizes issue or PR as related to a bug. vendor-update Touching vendor dir or related files
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants