cert-manager v1.4.3 + v1.3.3 Released!

[Ashley Davis]

Hi cert-manager-dev,

We've just released cert-manager `v1.4.3` and `v1.3.3` which fix a bug in the ACME HTTP-01 issuance workflow. We strongly recommend upgrading.

cert-manager attempts to check the "reachability" of an HTTP01 challenge before it's actually verified by the configured ACME server. This involves making a request to the server hosting the challenge using the Go HTTP client.

In all supported versions of cert-manager prior to `v1.4.3` and `v1.3.3`, this reachability check had no timeout. That means that a malicious actor able to modify network traffic between cert-manager and the location where the challenge is being hosted would be able to indefinitely block the goroutine making the HTTP request, which could lead to a denial of service attack on the pod running cert-manager by forcing more and more goroutines to hang as they wait for their reachability check to complete.

We've now added a timeout to roughly match what Boulder - the Let's Encrypt validator - does.

This is low severity; the kinds of network access required to carry out this attack would allow denial of service anyway because the attacker could just block all traffic. Still, being able to create hanging goroutines is worse than network denial-of-service and you should upgrade.

This issue will of course also be fixed in cert-manager 1.5 when it's released, too!

Thanks,
Ashley