Tyk could be exposed to HTTP/2 Continuation frame CVE

Uri_Parush · April 17, 2024, 7:49am

Do you want to request a feature or report a bug?
Security concern (bug?).

What is the current behavior?
Tyk could be exposed to HTTP/2 Continuation frame implementation bug in golang

What is the expected behavior?
Either validate Tyk is not affected and inform users of that or upgrade packages / go version us suggested by Google in their advisory.

Which versions of Tyk affected by this issue? Did this work in previous versions of Tyk?
Possible affects most of the latest releases, if not all of them.

Olu · April 17, 2024, 9:24am

@Uri_Parush Thanks for bringing this to our attention.

I have informed the team internally and they will investigate further.

I will come back when I have an update.

Uri_Parush · April 28, 2024, 6:49am

Hi,
Any update on this issue?
This security issue is urgent if the API GW is at risk

Thanks

Olu · May 2, 2024, 4:51pm

Sorry for the delay in communication. The latest version of the gateway is v5.3.1 and is built with go 1.21.8. That falls underneath the versions susceptible to the vulnerability.

When I check our docker image based on the CVE-2023-45288, I can see two packages with the issues:

golang.org/x/net 0.21.0 = Mid level priority (CVSS Score: 5.3)
stdlib 1.21.8

Considering the attack area is HTTP/2, the vulnerability may not be exploitable since proxy_enable_http2 is disabled by default but we haven’t tested this to confirm.

The next release of the gateway should be on Go 1.22.2 (or later) and account for the fix

Uri_Parush · May 4, 2024, 4:14pm

10x for the update.
Do you have a target date for the next verison ?

Olu · May 8, 2024, 5:58pm

The next release is set for some time in June

Uri_Parush · May 9, 2024, 5:04am

Thanks, waiting for it