CVE-2021-44716

golang: net/http: limit growth of header canonicalization cache

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

net/http en Go versiones anteriores a 1.16.12 y versiones 1.17.x anteriores a 1.17.5, permite un consumo no controlado de memoria en la caché de canonización del encabezado por medio de peticiones HTTP/2.

There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.

The RHEL-8 based Cryostat container images have been updated with a security fix for "CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache". Users of RHEL-8 based Cryostat container images are advised to upgrade to these updated images, which contain backported patches to correct this security issue. Users of these images are also encouraged to rebuild all container images that depend on these images. You can find images updated by this advisory in Red Hat Ecosystem Catalog.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-12-07 CVE Reserved
2021-12-16 CVE Published
2024-08-04 CVE Updated
2025-04-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (9)

URL	Tag	Source
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
https://lists.debian.org/debian-lts-announce/2022/01/msg00016.html	Mailing List
https://lists.debian.org/debian-lts-announce/2022/01/msg00017.html	Mailing List
https://lists.debian.org/debian-lts-announce/2023/04/msg00021.html	Mailing List
https://security.netapp.com/advisory/ntap-20220121-0002	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://groups.google.com/g/golang-announce/c/hcmEScgc00k	2023-04-20

URL	Date	SRC
https://security.gentoo.org/glsa/202208-02	2023-04-20
https://access.redhat.com/security/cve/CVE-2021-44716	2023-01-25
https://bugzilla.redhat.com/show_bug.cgi?id=2030801	2023-01-25

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				< 1.16.12 Search vendor "Golang" for product "Go" and version " < 1.16.12"		-		Affected
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				>= 1.17.0 < 1.17.5 Search vendor "Golang" for product "Go" and version " >= 1.17.0 < 1.17.5"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Netapp Search vendor "Netapp"		Cloud Insights Telegraf Search vendor "Netapp" for product "Cloud Insights Telegraf"				-		-		Affected