[Spike] Check if we need to explicitly disable HTTP/2 to mitigate `CVE-2023-44487` (Rapid Reset)

[rm3l]

/kind task

As part of #1303, we'll need to bump a few of our dependencies across several repos.
But even doing so might not be sufficient to mitigate the HTTP/2 Rapid Reset vuln (CVE-2023-44487).
The scope of this issue is to check whether we also need to explicitly disable HTTP/2 as an additional safety measure.

If the answer is yes, we'll need to create follow-up issues.

[rm3l]

The results of this investigation work have been shared in a doc titled [Analysis] Investigate if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset) (under the Security folder in the Devfile Services team shared drive).

TL;DR
It is strongly recommended, as a mitigation measure, to disable HTTP/2 endpoints if not needed: https://access.redhat.com/security/cve/CVE-2023-44487
So I think it makes sense, as an additional safety measure, to do so where possible.

And from my research, there seems to be currently only one repo where we need to do so:

• devfile/registry-support: in index/server/pkg/server/index.go, where an HTTP Server is started.

I'm marking this issue as done and will create a follow-up issue to make the necessary changes in devfile/registry-support.

The steps for disabling the HTTP/2 protocol in net/http are documented in https://pkg.go.dev/net/http#hdr-HTTP_2

/close

EDIT: #1342 created

[openshift-ci]

@rm3l: Closing this issue.

In response to this:

The results of this investigation work have been shared in a doc titled [Analysis] Investigate if we need to explicitly disable HTTP/2 to mitigate CVE-2023-44487 (Rapid Reset) (under the Security folder in the Devfile Services team shared drive).

TL;DR
It is strongly recommended, as one of the possible mitigation measure, to disable HTTP/2 endpoints if not needed: https://access.redhat.com/security/cve/CVE-2023-44487
So I think it might make sense, as an additional safety measure, to do so where possible.

And from my research, there seems to be currently only one repo where we need to do so:

• devfile/registry-support: in index/server/pkg/server/index.go, where an HTTP Server is started.

I'm marking this issue as done and will create a follow-up issue to make the necessary changes in devfile/registry-support.

The steps for disabling the HTTP/2 protocol in net/http are documented in https://pkg.go.dev/net/http#hdr-HTTP_2

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.