| id: GO-2023-2102 |
| modules: |
| - module: std |
| versions: |
| - fixed: 1.20.10 |
| - introduced: 1.21.0-0 |
| fixed: 1.21.3 |
| vulnerable_at: 1.21.2 |
| packages: |
| - package: net/http |
| symbols: |
| - http2serverConn.serve |
| - http2serverConn.processHeaders |
| - http2serverConn.upgradeRequest |
| - http2serverConn.runHandler |
| derived_symbols: |
| - ListenAndServe |
| - ListenAndServeTLS |
| - Serve |
| - ServeTLS |
| - Server.ListenAndServe |
| - Server.ListenAndServeTLS |
| - Server.Serve |
| - Server.ServeTLS |
| - http2Server.ServeConn |
| - module: golang.org/x/net |
| versions: |
| - fixed: 0.17.0 |
| vulnerable_at: 0.16.0 |
| packages: |
| - package: golang.org/x/net/http2 |
| symbols: |
| - serverConn.serve |
| - serverConn.processHeaders |
| - serverConn.upgradeRequest |
| - serverConn.runHandler |
| derived_symbols: |
| - Server.ServeConn |
| summary: HTTP/2 rapid reset can cause excessive work in net/http |
| description: |- |
| A malicious HTTP/2 client which rapidly creates requests and immediately resets |
| them can cause excessive server resource consumption. While the total number of |
| requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting |
| an in-progress request allows the attacker to create a new request while the |
| existing one is still executing. |
| |
| With the fix applied, HTTP/2 servers now bound the number of simultaneously |
| executing handler goroutines to the stream concurrency limit |
| (MaxConcurrentStreams). New requests arriving when at the limit (which can only |
| happen after the client has reset an existing, in-flight request) will be queued |
| until a handler exits. If the request queue grows too large, the server will |
| terminate the connection. |
| |
| This issue is also fixed in golang.org/x/net/http2 for users manually |
| configuring HTTP/2. |
| |
| The default stream concurrency limit is 250 streams (requests) per HTTP/2 |
| connection. This value may be adjusted using the golang.org/x/net/http2 package; |
| see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
| ghsas: |
| - GHSA-4374-p667-p6c8 |
| related: |
| - CVE-2023-44487 |
| references: |
| - report: https://go.dev/issue/63417 |
| - fix: https://go.dev/cl/534215 |
| - fix: https://go.dev/cl/534235 |
| - web: https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ |
| cve_metadata: |
| id: CVE-2023-39325 |
| cwe: 'CWE-400: Uncontrolled Resource Consumption' |
| references: |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/ |
| - https://security.netapp.com/advisory/ntap-20231110-0008/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/ |
| - https://security.gentoo.org/glsa/202311-09 |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/ |
| - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/ |
| review_status: REVIEWED |