Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks

- Ensure HTTP/2 is disabled when the enable-http2 flag is set to false (default). - Disabling HTTP/2 mitigates vulnerabilities associated with: - HTTP/2 Stream Cancellation (GHSA-qppj-fm5r-hxr3) - HTTP/2 Rapid Reset (GHSA-4374-p667-p6c8) - While CVE fixes exist, they remain insufficient; disabling HTTP/2 helps reduce risks. For details, see: - GHSA-qppj-fm5r-hxr3 - GHSA-4374-p667-p6c8 - golang/go#63417
camilamacedo86 · Dec 13, 2024 · e701977 · e701977
1 parent f91558f
commit e701977
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/cmd/manager/main.go b/cmd/manager/main.go
@@ -159,13 +159,26 @@ func main() {
 		log.Fatalf("Failed to initialize certificate watcher: %v", err)
 	}
 
+	tlsOpts := func(config *tls.Config) {
+		config.GetCertificate = cw.GetCertificate
+
+		// If the enable-http2 flag is false (the default), http/2 should be disabled
+		// due to its vulnerabilities. More specifically, disabling http/2 will
+		// prevent from being vulnerable to the HTTP/2 Stream Cancellation and
+		// Rapid Reset CVEs. For more information see:
+		// - https://github.com/advisories/GHSA-qppj-fm5r-hxr3
+		// - https://github.com/advisories/GHSA-4374-p667-p6c8
+		// Besides, those CVEs are solved already; the solution is still insufficient, and we need to mitigate
+		// the risks. More info https://github.com/golang/go/issues/63417
+		setupLog.Info("disabling http/2")
+		config.NextProtos = []string{"http/1.1"}
+	}
+
 	// Create webhook server and configure TLS
 	webhookServer := crwebhook.NewServer(crwebhook.Options{
 		Port: webhookPort,
 		TLSOpts: []func(*tls.Config){
-			func(cfg *tls.Config) {
-				cfg.GetCertificate = cw.GetCertificate
-			},
+			tlsOpts,
 		},
 	})