Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[馃惛 Frogbot] Update version of golang.org/x/net to 0.23.0 #2528

Closed
wants to merge 1 commit into from
Closed

[馃惛 Frogbot] Update version of golang.org/x/net to 0.23.0 #2528

wants to merge 1 commit into from

Conversation

github-actions[bot]
Copy link
Contributor

馃毃 This automated pull request was created by Frogbot and fixes the below:

馃摝 Vulnerable Dependencies

鉁嶏笍 Summary

SEVERITY CONTEXTUAL ANALYSIS DIRECT DEPENDENCIES IMPACTED DEPENDENCY FIXED VERSIONS CVES

Medium		 Undetermined github.com/go-git/go-git/v5:v5.12.0
github.com/jfrog/jfrog-cli-core/v2:v2.51.0
github.com/jfrog/jfrog-cli-security:v1.1.0
github.com/jfrog/jfrog-client-go:v1.40.1
golang.org/x/net:v0.22.0		 golang.org/x/net v0.22.0 [0.23.0] CVE-2023-45288

馃敩 Research Details

Description:
The net/http package in Go is used for handling HTTP requests and responses.
HTTP/2 is a binary protocol where the client and server exchange binary frames instead of text lines as in HTTP/1.x. HTTP/2 resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include frame type, length, flags, stream identifier (ID), and payload.

The HEADERS frame type allows sending HTTP headers of, both, request and response. The HEADERS frame contains many flags.
The CONTINUATION frame type is similar to the HEADER frame, but it has just one flag: END_HEADERS. When it is not set, the peer knows that more headers are coming in the following CONTINUATION frames.

This mechanism allows an attacker to send an HTTP/2 stream with CONTINUATION frames, without setting the END_HEADERS flag in any of the frames. This can cause denial-of-service when sending an excessive number of these crafted frames due to caching all frames in memory.

Though the net/http package uses HTTP/2 by default, a Golang web server must have HTTPS configured to be vulnerable to exploitation.
The x/net/http2 package is vulnerable by default.

Remediation:

Development mitigations

From Golang version 1.6, the net/http package is using the HTTP/2 protocol by default when using HTTPS. You can disable HTTP/2 by setting Server.TLSNextProto (for servers) to a non-nil, empty map.

For example:

package main

import (
    "log"
    "net/http"
    "crypto/tls"
)

func main() {
    m := http.NewServeMux()
    srv := &http.Server{
        Handler:      m,
        Addr:         "127.0.0.1:8080",
        TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
    }
    log.Fatal(srv.ListenAndServe())
}

Alternatively, the following GODEBUG settings are also supported, which disables the HTTP/2 server support:

GODEBUG=http2server=0

@sverdlov93 sverdlov93 closed this May 6, 2024
@sverdlov93 sverdlov93 deleted the frogbot-golang.org/x/net-4ff65929cd11cb96312047a048517546 branch May 7, 2024 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sverdlov93 @JFrog-Frogbot