data/reports/GO-2023-2102.yaml - vulndb - Git at Google

 id: GO-2023-2102
 modules:
     - module: std
       versions:
         - fixed: 1.20.10
         - introduced: 1.21.0-0
           fixed: 1.21.3
       vulnerable_at: 1.21.2
       packages:
         - package: net/http
           symbols:
             - http2serverConn.serve
             - http2serverConn.processHeaders
             - http2serverConn.upgradeRequest
             - http2serverConn.runHandler
           derived_symbols:
             - ListenAndServe
             - ListenAndServeTLS
             - Serve
             - ServeTLS
             - Server.ListenAndServe
             - Server.ListenAndServeTLS
             - Server.Serve
             - Server.ServeTLS
             - http2Server.ServeConn
     - module: golang.org/x/net
       versions:
         - fixed: 0.17.0
       vulnerable_at: 0.16.0
       packages:
         - package: golang.org/x/net/http2
           symbols:
             - serverConn.serve
             - serverConn.processHeaders
             - serverConn.upgradeRequest
             - serverConn.runHandler
           derived_symbols:
             - Server.ServeConn
 summary: HTTP/2 rapid reset can cause excessive work in net/http
 description: |-
     A malicious HTTP/2 client which rapidly creates requests and immediately resets
     them can cause excessive server resource consumption. While the total number of
     requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting
     an in-progress request allows the attacker to create a new request while the
     existing one is still executing.

     With the fix applied, HTTP/2 servers now bound the number of simultaneously
     executing handler goroutines to the stream concurrency limit
     (MaxConcurrentStreams). New requests arriving when at the limit (which can only
     happen after the client has reset an existing, in-flight request) will be queued
     until a handler exits. If the request queue grows too large, the server will
     terminate the connection.

     This issue is also fixed in golang.org/x/net/http2 for users manually
     configuring HTTP/2.

     The default stream concurrency limit is 250 streams (requests) per HTTP/2
     connection. This value may be adjusted using the golang.org/x/net/http2 package;
     see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
 cves:
     - CVE-2023-44487
 ghsas:
     - GHSA-4374-p667-p6c8
 references:
     - report: https://go.dev/issue/63417
     - fix: https://go.dev/cl/534215
     - fix: https://go.dev/cl/534235
     - web: https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ
 cve_metadata:
     id: CVE-2023-39325
     cwe: 'CWE-400: Uncontrolled Resource Consumption'
     references:
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
         - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
	id: GO-2023-2102
	modules:
	- module: std
	versions:
	- fixed: 1.20.10
	- introduced: 1.21.0-0
	fixed: 1.21.3
	vulnerable_at: 1.21.2
	packages:
	- package: net/http
	symbols:
	- http2serverConn.serve
	- http2serverConn.processHeaders
	- http2serverConn.upgradeRequest
	- http2serverConn.runHandler
	derived_symbols:
	- ListenAndServe
	- ListenAndServeTLS
	- Serve
	- ServeTLS
	- Server.ListenAndServe
	- Server.ListenAndServeTLS
	- Server.Serve
	- Server.ServeTLS
	- http2Server.ServeConn
	- module: golang.org/x/net
	versions:
	- fixed: 0.17.0
	vulnerable_at: 0.16.0
	packages:
	- package: golang.org/x/net/http2
	symbols:
	- serverConn.serve
	- serverConn.processHeaders
	- serverConn.upgradeRequest
	- serverConn.runHandler
	derived_symbols:
	- Server.ServeConn
	summary: HTTP/2 rapid reset can cause excessive work in net/http
	description: \|-
	A malicious HTTP/2 client which rapidly creates requests and immediately resets
	them can cause excessive server resource consumption. While the total number of
	requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting
	an in-progress request allows the attacker to create a new request while the
	existing one is still executing.

	With the fix applied, HTTP/2 servers now bound the number of simultaneously
	executing handler goroutines to the stream concurrency limit
	(MaxConcurrentStreams). New requests arriving when at the limit (which can only
	happen after the client has reset an existing, in-flight request) will be queued
	until a handler exits. If the request queue grows too large, the server will
	terminate the connection.

	This issue is also fixed in golang.org/x/net/http2 for users manually
	configuring HTTP/2.

	The default stream concurrency limit is 250 streams (requests) per HTTP/2
	connection. This value may be adjusted using the golang.org/x/net/http2 package;
	see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
	cves:
	- CVE-2023-44487
	ghsas:
	- GHSA-4374-p667-p6c8
	references:
	- report: https://go.dev/issue/63417
	- fix: https://go.dev/cl/534215
	- fix: https://go.dev/cl/534235
	- web: https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ
	cve_metadata:
	id: CVE-2023-39325
	cwe: 'CWE-400: Uncontrolled Resource Consumption'
	references:
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
	- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/