SECVULN-29092 DoS handled for kvs_endpoint.go #22916
Conversation
Signed-off-by: Manisha Kumari <[email protected]>
Manishakumari-hc
changed the title
Manishakumari-hc
added
backport/all
Signed-off-by: Manisha Kumari <[email protected]>
| StatusCode: http.StatusRequestEntityTooLarge, | ||
| Reason: fmt.Sprintf("Request body too large, max allowed is %d bytes.", maxSize), | ||
| } | ||
| } |
There was a problem hiding this comment.
Don't add jira tickets to oss repo prs.
| Reason: fmt.Sprintf("Request body too large, max allowed is %d bytes.", maxSize), | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Please add unit tests for this.
agent/kvs_endpoint.go
Outdated
| buf := bytes.NewBuffer(nil) | ||
| if _, err := io.Copy(buf, req.Body); err != nil { | ||
| // LimitReader to limit copy of large requests with no Content-Length | ||
| limitedReader := io.LimitReader(req.Body, maxSize+1) |
There was a problem hiding this comment.
Why is maxSize+1 needed?
agent/kvs_endpoint.go
Outdated
| } | ||
|
|
||
| // Reject request if actual read size exceeds allowed limit | ||
| if copiedBytes > maxSize { |
There was a problem hiding this comment.
If we are already restricting copiedBytes then why do we need this condition?
dduzgun-security
left a comment
dduzgun-security
left a comment
There was a problem hiding this comment.
I'm not sure this resolves the issue. The problem here is when the Content-Length is omitted. The condition should check that the Content-Length is present, greater than zero and bellow the KVMaxValueSize and if not, it throws an error message. Please include unit tests to this too.
We also need a changelog for this that mentions the CVE this fix will resolve: CVE-2025-11374.
Signed-off-by: Manisha Kumari <[email protected]>
agent/kvs_endpoint.go
Outdated
| maxSize := int64(s.agent.config.KVMaxValueSize) | ||
|
|
||
| switch { | ||
| case req.ContentLength < 0: |
There was a problem hiding this comment.
| case req.ContentLength < 0: | |
| case !req.ContentLength || req.ContentLength <= 0: |
Signed-off-by: Manisha Kumari <[email protected]>
CHANGELOG.md
Outdated
|
|
||
| SECURITY: | ||
|
|
||
| * security: Fix Consul's KV endpoint is vulnerable to denial of service address CVE-2025-11374 [[GH-22916](https://github.com/hashicorp/consul/pull/22916)] |
There was a problem hiding this comment.
This is not where we add changelog.
agent/kvs_endpoint.go
Outdated
| maxSize := int64(s.agent.config.KVMaxValueSize) | ||
|
|
||
| switch { | ||
| case req.ContentLength <= 0: |
There was a problem hiding this comment.
Check if contentlength is omitted. If omitted, raise error
There was a problem hiding this comment.
In the case of no content-length it is taken as content-lenth=-1 .So it is handled here @sanikachavan5
Signed-off-by: Manisha Kumari <[email protected]>
.changelog/22916.txt
Outdated
| @@ -0,0 +1,3 @@ | |||
| ```release-note:security | |||
| security: Consul's KV endpoint is vulnerable to denial of service [CVE-2025-11374]() | |||
There was a problem hiding this comment.
Improved validation of the Content-Length header in the Consul KV endpoint to prevent potential denial of service attacks.
Manishakumari-hc
removed
the
pr/no-changelog
Signed-off-by: Manisha Kumari <[email protected]>
Signed-off-by: Manisha Kumari <[email protected]>
Signed-off-by: Manisha Kumari <[email protected]>
Signed-off-by: Manisha Kumari <[email protected]>
@eastebry There is no URL for this CVE yet. Do you want me to modify the changelog ? |
eastebry
left a comment
eastebry
left a comment
There was a problem hiding this comment.
Thanks for making this change!
I believe this check is correct, and this will fix this issue (more details on that at the bottom), however I am wondering if we would be better off using a MaxByteReader to read the body and enforce the limit. There may be trade offs to this approach, so I'll leave the final decision to you all.
Regarding this specific check, I believe this is correct. Here are the cases I was concerned about and explicitly tested:
- If a
Content-Lengthheader is not set, it appears that Go will infer based on the body, or set it to -1 if the request is chunked. - If
Content-Lengthis set to a different value than the size of the body, the server will either truncate the body, or hang while it waits for the additional bytes to be sent.
Based on that, this code appears to work properly. I do wonder if we would be better off not performing this check ourselves, and relying on a MaxByteReader.
Signed-off-by: Manisha Kumari <[email protected]>
Updated to MaxByteReader |
Manishakumari-hc
requested review from
dduzgun-security,
eastebry,
sanikachavan5 and
santoshpulluri
sanikachavan5
added
backport/ent/1.18
Manishakumari-hc
dismissed
dduzgun-security’s stale review
addressed the change and other reviewrs have reviewd.
hc-github-team-consul-core
added
backport/1.21
sanikachavan5
added
backport/1.22
|
📣 Hi @Manishakumari-hc! a backport is missing for this PR [22916] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
5 similar comments
|
📣 Hi @Manishakumari-hc! a backport is missing for this PR [22916] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @Manishakumari-hc! a backport is missing for this PR [22916] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @Manishakumari-hc! a backport is missing for this PR [22916] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @Manishakumari-hc! a backport is missing for this PR [22916] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
📣 Hi @Manishakumari-hc! a backport is missing for this PR [22916] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
|
@dduzgun-security Where is CVE-2025-11374 coming from? I'm reading the release notes for the pre-release and when googling Same thing for https://nvd.nist.gov/vuln/detail/CVE-2025-11375 and for https://nvd.nist.gov/vuln/detail/CVE-2025-11392 @hc-github-team-consul-core How can we get more info on the CVSS for these CVEs? |
|
Hi @sarah-oloumi , the CVE is reserved by us under the HashiCorp CNA and will be published at the same time as the next Consul release of version 1.22. |
|
📣 Hi @Manishakumari-hc! a backport is missing for this PR [22916] for versions [1.18,1.19,1.20,1.21] please perform the backport manually and add the following snippet to your backport PR description: |
7 participants
Description
* content-length is greater than 0 & less than int64(s.agent.config.KVMaxValueSize)
OR
* when content-length is not passed(=-1) && req.Body size is less than int64(s.agent.config.KVMaxValueSize) .
Test case:
Test case updated to check the added swich cases in KVSPUT code block .