CVE-2022-31028: 
MinIO vulnerability analysis and mitigation

MinIO, a multi-cloud object storage solution, was found to be vulnerable to an unending go-routine buildup while keeping connections established due to HTTP clients not closing the connections. This vulnerability affects versions from RELEASE.2019-09-25T18-25-51Z to RELEASE.2022-06-02T02-11-04Z. The vulnerability was particularly impactful for public-facing MinIO deployments (GitHub Advisory, Debian Tracker).

The vulnerability stems from a lack of proper timeout controls in the HTTP connection handling, which could lead to connection buildup and resource exhaustion. The issue was demonstrated through a proof-of-concept code that could establish and maintain multiple connections without proper closure. The fix implemented two crucial timeouts: IdleTimeout to kill off idle connections and ReadHeaderTimeout to terminate connections that are too slow (MinIO PR).

The vulnerability could be exploited to perform denial of service attacks against MinIO deployments, causing the entire service to become unavailable. Public-facing deployments were particularly vulnerable to this attack. The continuous connection buildup would eventually cause all incoming API calls to slow down or become unresponsive, potentially requiring service restart (GitHub Advisory).

The primary mitigation is to upgrade to MinIO version RELEASE.2022-06-02T02-11-04Z or later, which includes the security patch. For those unable to upgrade immediately, a recommended workaround is to implement a reverse proxy in front of MinIO to limit the number of connections and actively reject connections from potentially malicious clients (GitHub Advisory).