Skip to content
This repository was archived by the owner on Mar 3, 2025. It is now read-only.

🐛 Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks#484

Merged
camilamacedo86 merged 1 commit into
operator-framework:mainfrom
camilamacedo86:fix-webhook-cve
Dec 17, 2024
Merged

🐛 Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks#484
camilamacedo86 merged 1 commit into
operator-framework:mainfrom
camilamacedo86:fix-webhook-cve

Conversation

@camilamacedo86

@camilamacedo86 camilamacedo86 commented Dec 13, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with:

While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: kubernetes/kubernetes#121197

@camilamacedo86 camilamacedo86 requested a review from a team as a code owner December 13, 2024 22:07
@camilamacedo86 camilamacedo86 requested review from bentito, joelanford, perdasilva and tmshort and removed request for a team December 13, 2024 22:08
@codecov

codecov Bot commented Dec 13, 2024
edited
Loading

Copy link
Copy Markdown

Codecov Report

Attention: Patch coverage is 0% with 11 lines in your changes missing coverage. Please review.

Project coverage is 37.89%. Comparing base (f91558f) to head (979f29b).
Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
cmd/manager/main.go 0.00% 11 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #484      +/-   ##
==========================================
- Coverage   38.23%   37.89%   -0.35%     
==========================================
  Files          15       15              
  Lines        1224     1235      +11     
==========================================
  Hits          468      468              
- Misses        706      717      +11     
  Partials       50       50

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@camilamacedo86
Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks
979f29b 
Ensure HTTP/2 is disabled by default for webhooks. Disabling HTTP/2 mitigates vulnerabilities associated with:
  - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3)
  - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8)

While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: kubernetes/kubernetes#121197
@camilamacedo86 camilamacedo86 requested review from jianzhangbjz and removed request for bentito December 13, 2024 22:48
@camilamacedo86

camilamacedo86 commented Dec 13, 2024

Copy link
Copy Markdown
Contributor Author

This one we need to backport.

@camilamacedo86 camilamacedo86 changed the title 🐛 Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks 🐛 Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks (we need to backport) Dec 13, 2024
@camilamacedo86 camilamacedo86 changed the title 🐛 Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks (we need to backport) 🐛 OCPBUGS-20517: Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks (we need to backport) Dec 16, 2024
@camilamacedo86 camilamacedo86 changed the title 🐛 OCPBUGS-20517: Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks (we need to backport) 🐛 Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks (we need to backport) Dec 16, 2024
@grokspawn

grokspawn commented Dec 17, 2024

Copy link
Copy Markdown
Contributor

This one we need to backport.

The CNCF project does not currently backport to previous release versions, but this will be available in future releases of this project.

tmshort
tmshort reviewed Dec 17, 2024
View reviewed changes
Comment thread cmd/manager/main.go
// - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8)
// While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks.
// For details, see: https://github.com/kubernetes/kubernetes/issues/121197
setupLog.Info("disabling http/2")

@tmshort tmshort Dec 17, 2024

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we indicate that this is for webhooks? We ought to be disabling HTTP/2 for more than just webhooks, and it would be good, to specify it.

@camilamacedo86 camilamacedo86 Dec 17, 2024

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will be used for metrics as well when we get both PR merged:
This one and #460

So, how do you think we could make it clearer?
Any ideas?

@tmshort tmshort Dec 17, 2024

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're saying that tlsOpts will be used for multiple Servers? If that's the case, I guess it's ok, but I would like to see a bit more, but we can save that for later.

@camilamacedo86 camilamacedo86 Dec 17, 2024

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can shape in a follow after get both merged for sure 👍
Thank you

@tmshort

tmshort commented Dec 17, 2024

Copy link
Copy Markdown
Contributor

The CNCF project does not currently backport to previous release versions, but this will be available in future releases of this project.

Given that we just released this, and the installed customer base is small, I agree with this.

@camilamacedo86 camilamacedo86 changed the title 🐛 Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks (we need to backport) 🐛 Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks Dec 17, 2024
tmshort
tmshort approved these changes Dec 17, 2024
View reviewed changes

@tmshort tmshort left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Dec 17, 2024
@camilamacedo86 camilamacedo86 added this pull request to the merge queue Dec 17, 2024
@camilamacedo86 camilamacedo86 removed this pull request from the merge queue due to a manual request Dec 17, 2024
@camilamacedo86 camilamacedo86 added this pull request to the merge queue Dec 17, 2024
Merged via the queue into operator-framework:main with commit cab110e Dec 17, 2024
@camilamacedo86 camilamacedo86 mentioned this pull request Dec 18, 2024
Closed
@camilamacedo86 camilamacedo86 mentioned this pull request Jan 6, 2025
Closed
This was referenced Jan 6, 2025
Closed
Merged
Closed
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@perdasilva perdasilva Awaiting requested review from perdasilva

@joelanford joelanford Awaiting requested review from joelanford

@jianzhangbjz jianzhangbjz Awaiting requested review from jianzhangbjz

1 more reviewer

@tmshort tmshort tmshort approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@tmshort tmshort

Labels

lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@camilamacedo86 @grokspawn @tmshort