THREESCALE-10224 CVE-2023-44487 http/2 rapid reset

Signed-off-by: Eguzki Astiz Lezaun <[email protected]>
3scale · eguzki · Nov 2, 2023 · Oct 25, 2023 · Oct 25, 2023 · Oct 25, 2023
commit 354a5bd454b5ee0b030304525e4c3633dd95ede4
@@ -112,7 +112,7 @@ executors:
  openresty:
  working_directory: /opt/app-root/apicast
  docker:
- - image: quay.io/3scale/apicast-ci:openresty-1.19.3-pr1381
+ - image: quay.io/3scale/apicast-ci:openresty-1.19.3-23
  - image: redis:3.2.8-alpine
  environment:
  TEST_NGINX_BINARY: openresty

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+### Fixed
+
+- Fixed CVE-2023-44487 (HTTP/2 Rapid Reset) [PR #393](https://github.com/3scale/apicast/pull/392) [THREESCALE-10224](https://issues.redhat.com/browse/THREESCALE-10224)
+
 ### Added
 
 - Detect number of CPU shares when running on Cgroups V2 [PR #1410](https://github.com/3scale/apicast/pull/1410) [THREESCALE-10167](https://issues.redhat.com/browse/THREESCALE-10167)

@@ -1,6 +1,8 @@
 FROM registry.access.redhat.com/ubi8:8.5
 
-ARG OPENRESTY_RPM_VERSION="1.19.3"
+ARG OPENRESTY_RPM_VERSION="1.19.3-23.el8"
+ARG LUAROCKS_VERSION="2.3.0"
+ARG JAEGERTRACING_CPP_CLIENT_RPM_VERSION="0.3.1-13.el8"
 
 LABEL summary="The 3scale API gateway (APIcast) is an OpenResty application, which consists of two parts: NGINX configuration and Lua files." \
  description="APIcast is not a standalone API gateway therefore it needs connection to the 3scale API management platform. The container includes OpenResty and uses LuaRocks to install dependencies (rocks are installed in the application folder)." \
@@ -18,13 +20,17 @@ ENV AUTO_UPDATE_INTERVAL=0 \
  PATH=/opt/app-root/src/bin:/opt/app-root/bin:$PATH \
  PLATFORM="el8"
 
-RUN sed -i s/enabled=./enabled=0/g /etc/yum/pluginconf.d/subscription-manager.conf
+RUN PKGS="perl-interpreter-5.26.3 libyaml-devel-0.1.7 m4 openssl-devel git gcc make curl" && \
+ mkdir -p "$HOME" && \
+ yum -y --setopt=tsflags=nodocs install $PKGS && \
+ rpm -V $PKGS && \
+ yum clean all -y
 
 RUN dnf install -y 'dnf-command(config-manager)'
 
 RUN yum config-manager --add-repo https://packages.dev.3sca.net/dev_packages_3sca_net.repo
 
-RUN PKGS="perl-interpreter-5.26.3 libyaml-devel-0.1.7 m4 openssl-devel git gcc make curl openresty-resty-${OPENRESTY_RPM_VERSION} luarocks-2.3.0 opentracing-cpp-devel-1.3.0 libopentracing-cpp1-1.3.0 jaegertracing-cpp-client openresty-opentracing-${OPENRESTY_RPM_VERSION}" && \
+RUN PKGS="openresty-resty-${OPENRESTY_RPM_VERSION} openresty-opentelemetry-${OPENRESTY_RPM_VERSION} openresty-opentracing-${OPENRESTY_RPM_VERSION} openresty-${OPENRESTY_RPM_VERSION} luarocks-${LUAROCKS_VERSION} opentracing-cpp-devel-1.3.0 libopentracing-cpp1-1.3.0 jaegertracing-cpp-client-${JAEGERTRACING_CPP_CLIENT_RPM_VERSION}" && \
  mkdir -p "$HOME" && \
  yum -y --setopt=tsflags=nodocs install $PKGS && \
  rpm -V $PKGS && \

@@ -1,7 +1,8 @@
 FROM registry.access.redhat.com/ubi8:8.5
 
-ARG OPENRESTY_RPM_VERSION="1.19.3"
+ARG OPENRESTY_RPM_VERSION="1.19.3-23.el8"
 ARG LUAROCKS_VERSION="2.3.0"
+ARG JAEGERTRACING_CPP_CLIENT_RPM_VERSION="0.3.1-13.el8"
 
 WORKDIR /tmp
 
@@ -12,7 +13,7 @@ ENV APP_ROOT=/opt/app-root \
 
 RUN sed -i s/enabled=./enabled=0/g /etc/yum/pluginconf.d/subscription-manager.conf
 
-RUN yum upgrade -y 
+RUN yum upgrade -y
 
 RUN dnf install -y 'dnf-command(config-manager)'
 
@@ -29,7 +30,9 @@ RUN yum install -y \
  openresty-${OPENRESTY_RPM_VERSION} \
  openresty-resty-${OPENRESTY_RPM_VERSION} \
  openresty-opentracing-${OPENRESTY_RPM_VERSION} \
- jaegertracing-cpp-client 
+ opentracing-cpp-devel-1.3.0 \
+ libopentracing-cpp1-1.3.0 \
+ jaegertracing-cpp-client-${JAEGERTRACING_CPP_CLIENT_RPM_VERSION}
 
 RUN ln -sf /dev/stdout /usr/local/openresty/nginx/logs/access.log \
  && ln -sf /dev/stderr /usr/local/openresty/nginx/logs/error.log \

@@ -12,7 +12,7 @@ NPROC ?= $(firstword $(shell nproc 2>/dev/null) 1)
 
 SEPARATOR="\n=============================================\n"
 
-DEVEL_IMAGE ?= quay.io/3scale/apicast-ci:openresty-1.19.3
+DEVEL_IMAGE ?= quay.io/3scale/apicast-ci:openresty-1.19.3-23
 DEVEL_DOCKERFILE ?= Dockerfile.devel
 
 RUNTIME_IMAGE ?= quay.io/3scale/apicast:latest
@@ -63,9 +63,9 @@ export COMPOSE_PROJECT_NAME
 # The development image is also used in CI (circleCI) as the 'openresty' executor
 # When the development image changes, make sure to:
 # * build a new development image:
-# make dev-build IMAGE_NAME=quay.io/3scale/apicast-ci:openresty-1.19.3
+# make dev-build IMAGE_NAME=quay.io/3scale/apicast-ci:openresty-X.Y.Z-{release_number}
 # * push to quay.io/3scale/apicast-ci with a fixed tag (avoid floating tags)
-# docker push quay.io/3scale/apicast-ci:openresty-1.19.3
+# docker push quay.io/3scale/apicast-ci:openresty-X.Y.Z-{release_number}
 # * update .circleci/config.yaml openresty executor with the image URL
 .PHONY: dev-build
 dev-build: export OPENRESTY_RPM_VERSION?=1.19.3

@@ -2,7 +2,8 @@
 version: '2.2'
 services:
  development:
- image: ${IMAGE:-quay.io/3scale/apicast-ci:openresty-1.19.3}
+ image: ${IMAGE:-quay.io/3scale/apicast-ci:openresty-1.19.3-23}
+ platform: "linux/amd64"
  depends_on:
  - redis
  working_dir: /opt/app-root/src/