fix: force HTTP/1.1 connections

simonpasquier · simonpasquier · commit 6413894d2d05 · 2023-10-19T16:16:17.000+02:00
Commit b3b011b was not enough to prevent HTTP2 connections as demonstrated in kubernetes/kubernetes#121197. To prevent any risk with HTTP2, this change disables HTTP2 at the server level. There's no expected performance penalty because the web server is only used for scraping metrics. Signed-off-by: Simon Pasquier <spasquie@redhat.com>
diff --git a/pkg/metrics/server.go b/pkg/metrics/server.go
@@ -78,6 +78,11 @@ func (s *Server) Run(ctx context.Context) error {
 	if err != nil {
 		return err
 	}
+	// Mitigate CVE-2023-44487 by disabling HTTP2 until the Go standard library
+	// and golang.org/x/net are fully fixed.
+	// Since the web server is only used to expose the metrics endpoint,
+	// downgrading to HTTP/1.1 doesn't bring any performance penalty.
+	serverConfig.SecureServing.DisableHTTP2 = true
 
 	serverConfig.Authorization.Authorizer = union.New(
 		// prefix the authorizer with the permissions for metrics scraping which are well known.
