FreeBSD: VID-A92DCC5C-E05C-11E9-B589-10C37B4AC2EA (CVE-2019-16276): go -- invalid headers are normalized, allowing request smuggling
Description
Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.
From VID-A92DCC5C-E05C-11E9-B589-10C37B4AC2EA:
The Go project reports:
net/http (through net/textproto) used to accept and normalize invalid
HTTP/1.1 headers with a space before the colon, in violation of RFC 7230.
If a Go server is used behind a reverse proxy that accepts and forwards
but doesn't normalize such invalid headers, the reverse proxy and the
server can interpret the headers differently. This can lead to filter
bypasses or request smuggling, the latter if requests from separate clients
are multiplexed onto the same connection by the proxy. Such invalid headers
are now rejected by Go servers, and passed without normalization to Go
client applications.
Solution(s)
- freebsd-upgrade-package-go
- freebsd-upgrade-package-go-devel
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center