Codex Discovered a Hidden HTTP/2 Bomb
19 points by freddyb
19 points by freddyb
I’m torn about the attribution to a tool when making these discoveries. I wouldn’t mention AFL or property testing when crediting the discovery of a bug, at least not in the blog post title. And presumably there is a human with volition behind the discovery, it’s just buried later on:
Quang Luong for discovering the exploit
I think attributing success to the LLM anthropomorhizes it more than I feel comfortable with. It’s not like Codex cares, although I’m sure OpenAI does.
edit: Of course, I’d like to know when the tool credited with the discovery is guilty of a false positive, so the tool is worth mentioning in any case. I just take issue with the emphasis.
I'm inclined to give AFL or Valgrind or Asan or whatever credit for bug hunting assistance because those projects don't have much of a marketing apparatus, and I'd like to spread the word to others about high-quality tooling which is free and/or open-source. Much less inclined to lend a hand to proprietary hyperscaler AI tools with 7-9 figure marketing budgets behind them.
I know I've mentioned valgrind in the commit when I used it to find bugs.
Same here. These tools (AFL, Valgrind, ASAN) can find bugs you would not easily be able to find yourself, and are likely to cause weird intermittent failures depending on environment. So it even makes sense to mention that the bug was found this way, because it's not a readily apparent problem, so it sort of explains why it needs to be fixed without having a concrete problem to point at right now.
I've mentioned both AFL and valgrind in bug write-ups. Maybe not in the title. But for both of those tools, when I was applying them to codebases that hadn't had much contact with them before, they were very fruitful sources of new bug reports, and I believe it was helpful to the team receiving them to know that.
Did they forgot to test HAProxy, or is HAProxy once again not vulnerable to a wide-spread HTTP/2 vulnerability?
If it's the later, I feel that this is further vindicating my use of HAProxy.
The post didn't explain why they notified nginx in April but waited until May to notify Apache. Does anyone know what this is about?
Given
For servers that cap the header-field count instead (Apache, Envoy), Cookie is the bypass
it might just be that they hadn't figured out how to get it working on Apache yet at the time of the report to nginx.
Good to know about a vulnerability that has been responsibly disclosed and already patched! I was getting ready to add the patch with Nix overrides.
As far as protocols go, even "proper" implementations of HTTP/1 and HTTP/2 are full of so many footguns. Is HTTP/3 any better?