Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable HTTP/2 by Default for Metrics endpoint to Mitigate CVE Risks #2148

Open
anshuman-agarwala opened this issue Jan 28, 2025 · 0 comments · May be fixed by #2149
Open

Disable HTTP/2 by Default for Metrics endpoint to Mitigate CVE Risks #2148

anshuman-agarwala opened this issue Jan 28, 2025 · 0 comments · May be fixed by #2149
Labels
area/provider/ibmcloud Issues or PRs related to ibmcloud provider kind/feature Categorizes issue or PR as related to a new feature.

Comments

@anshuman-agarwala
Copy link
Contributor

/kind feature
/area provider/ibmcloud

Describe the solution you'd like
There is a security vulnerability in golang/net which can allow malicious authorized clients to DOS the kube-apiserver.
More information can be found in this issue

The workaround for this issue that other projects have adopted is to make http/2 optional using a flag.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
More information about the cve:
GHSA-qppj-fm5r-hxr3
GHSA-4374-p667-p6c8
@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. area/provider/ibmcloud Issues or PRs related to ibmcloud provider labels Jan 28, 2025
@anshuman-agarwala anshuman-agarwala linked a pull request Jan 28, 2025 that will close this issue
Open
@anshuman-agarwala anshuman-agarwala changed the title Disable HTTP/2 by Default for Webhooks to Mitigate CVE Risks Disable HTTP/2 by Default for Metrics endpoint to Mitigate CVE Risks Jan 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/provider/ibmcloud Issues or PRs related to ibmcloud provider kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added flag to disable http/2 anshuman-agarwala/cluster-api-provider-ibmcloud
2 participants
@k8s-ci-robot @anshuman-agarwala