Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tN3ZwLWhxd3YtN201eM0hTg
Unbounded memory usage on exposed HTTP/2 (non-gRPC) endpoints
Impact
The net/http Go package has a reported vulnerability tracked under CVE-2021-44716 which allows attacker controlled HTTP/2 requests to trigger unbounded memory usage in HTTP/2 endpoints. gRPC endpoints are not vulnerable as they rely on their own HTTP/2 implementation instead of the net/http package. HTTP/2 endpoints consuming the net/http package within SPIRE server and agent (or other components in this repository) that are on by default include the following:
- OIDC Discovery Provider
- K8s Workload Registrar in webhook mode
The following endpoints are vulnerable when enabled:
- SPIRE server bundle endpoint (i.e. Federation API)
The following endpoints are NOT vulnerable, since HTTP/2 support in go is not enabled on non-TLS protected endpoints:
- SPIRE server/agent metrics endpoint when configured for Prometheus
- SPIRE server/agent health endpoints
- SPIRE server/agent profiling endpoints
Patches
SPIRE 1.0.3 and 1.1.3 have been released with an upgraded Go toolchain which patches the vulnerability
Workarounds
The vulnerability can be worked around entirely by including the http2server=0 value in the GODEBUG environment variable (see https://github.com/golang/go/issues/50058). This turns off HTTP/2 support on all non-gRPC endpoints. They will still function with HTTP/1.1.
The risk associated with this vulnerability can be somewhat mitigated by limiting the exposure of the endpoints in question. If necessary, vulnerable components or endpoints that are optionally configured can be disabled temporarily.
References
- https://github.com/golang/go/issues/50058
- https://go-review.googlesource.com/c/go/+/370574/
- https://nvd.nist.gov/vuln/detail/CVE-2021-44716
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tN3ZwLWhxd3YtN201eM0hTg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: almost 2 years ago
Identifiers: GHSA-m7vp-hqwv-7m5x
References:
- https://github.com/spiffe/spire/security/advisories/GHSA-m7vp-hqwv-7m5x
- https://github.com/advisories/GHSA-m7vp-hqwv-7m5x
Blast Radius: 0.0
Affected Packages
go:github.com/spiffe/spire
Dependent packages: 29Dependent repositories: 40
Downloads:
Affected Version Ranges: >= 1.1.0, < 1.1.3, < 1.0.3
Fixed in: 1.1.3, 1.0.3
All affected versions: 0.9.2, 0.9.3, 0.9.4, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2
All unaffected versions: 1.0.3, 1.0.4, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.8.11, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.10.4, 1.11.0