Impact
Following code can reproduce an unending go-routine buildup while keeping connections
established due to HTTP clients not closing the connections.
https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1
Public-facing MinIO deployments are most affected however, there are different workarounds available.
Patches
Users should upgrade to RELEASE.2022-06-02T02-11-04Z
Workarounds
A workaround is by using a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients.
References
Pull request #14995 describes, what we had to bring in to facilitate control over such malicious HTTP client behavior
For more information
If you have any questions or comments about this advisory:
Impact
Following code can reproduce an unending go-routine buildup while keeping connections
established due to HTTP clients not closing the connections.
https://gist.github.com/harshavardhana/2d00e6f909054d2d2524c71485ad02e1
Public-facing MinIO deployments are most affected however, there are different workarounds available.
Patches
Users should upgrade to RELEASE.2022-06-02T02-11-04Z
Workarounds
A workaround is by using a reverse proxy to limit the number of connections being attempted in front of MinIO, and actively rejecting connections from such malicious clients.
References
Pull request #14995 describes, what we had to bring in to facilitate control over such malicious HTTP client behavior
For more information
If you have any questions or comments about this advisory: