Fluid Attacks Database

Description

net/http, x/net/http2: close connections when receiving too many headers An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	golang-golang-x-net	=1:0.0+git20210119.5f4716e+dfsg-4 \|\| =1:0.0+git20210805.aaa1db6+dfsg-1 \|\| =1:0.0+git20211209.491a49a+dfsg-1 \|\| =1:0.0+git20211209.491a49a+dfsg-1~bpo11+1 \|\| =1:0.0+git20220225.27dd868+dfsg-1 \|\| =1:0.0+git20220531.c960675+dfsg-1 \|\| =1:0.0+git20220624.1bab6f3+dfsg-1 \|\| =1:0.0+git20220728.c7608f3+dfsg-1 \|\| =1:0.0+git20220728.c7608f3+dfsg-2 \|\| =1:0.0+git20220728.c7608f3+dfsg-2~bpo11+1 \|\| =1:0.0+git20221012.0b7e1fb+dfsg-1 \|\| =1:0.0+git20221012.0b7e1fb+dfsg-1~bpo11+1 \|\| =1:0.1.0+dfsg-1 \|\| =1:0.10.0-1 \|\| =1:0.11.0-1 \|\| =1:0.14.0-1 \|\| =1:0.15.0-1 \|\| =1:0.15.0-2 \|\| =1:0.17.0+dfsg-1 \|\| =1:0.19.0+dfsg-1 \|\| =1:0.20.0+dfsg-1 \|\| =1:0.21.0+dfsg-1 \|\| =1:0.22.0+dfsg-1 \|\| =1:0.23.0+dfsg-1 \|\| =1:0.24.0+dfsg-1 \|\| =1:0.25.0+dfsg-1 \|\| =1:0.26.0+dfsg-1 \|\| =1:0.26.0+dfsg-2 \|\| =1:0.27.0-1 \|\| =1:0.27.0-2 \|\| =1:0.4.0+dfsg-1 \|\| =1:0.47.0-1 \|\| =1:0.47.0-2 \|\| =1:0.53.0-1 \|\| =1:0.53.0-2 \|\| =1:0.7.0+dfsg-1	-
go	golang.org/x/net	>=0 <0.23.0	0.23.0
go	net/http	>=0 <1.21.9 \|\| >=1.22.0-0 <1.22.2	1.21.9, 1.22.2
debian 11	golang-1.15	=1.15.15-1 \|\| =1.15.15-1~deb11u1 \|\| =1.15.15-1~deb11u2 \|\| =1.15.15-1~deb11u3 \|\| =1.15.15-1~deb11u4 \|\| =1.15.15-2 \|\| =1.15.15-3 \|\| =1.15.15-4 \|\| =1.15.15-5 \|\| =1.15.9-6	-
debian 12	golang-1.19	=1.19.10-1 \|\| =1.19.10-2 \|\| =1.19.11-1 \|\| =1.19.12-1 \|\| =1.19.12-2 \|\| =1.19.12-2~bpo11+1 \|\| =1.19.12-2~bpo12+1 \|\| =1.19.13-1 \|\| =1.19.13-1~bpo11+1 \|\| =1.19.13-1~bpo12+1 \|\| =1.19.8-2 \|\| =1.19.9-1	-
debian 12	golang-golang-x-net	=1:0.10.0-1 \|\| =1:0.11.0-1 \|\| =1:0.14.0-1 \|\| =1:0.15.0-1 \|\| =1:0.15.0-2 \|\| =1:0.17.0+dfsg-1 \|\| =1:0.19.0+dfsg-1 \|\| =1:0.20.0+dfsg-1 \|\| =1:0.21.0+dfsg-1 \|\| =1:0.22.0+dfsg-1 \|\| =1:0.23.0+dfsg-1 \|\| =1:0.24.0+dfsg-1 \|\| =1:0.25.0+dfsg-1 \|\| =1:0.26.0+dfsg-1 \|\| =1:0.26.0+dfsg-2 \|\| =1:0.27.0-1 \|\| =1:0.27.0-2 \|\| =1:0.47.0-1 \|\| =1:0.47.0-2 \|\| =1:0.53.0-1 \|\| =1:0.53.0-2 \|\| =1:0.7.0+dfsg-1	-
debian 13	golang-golang-x-net	>=0 <1:0.23.0+dfsg-	1:0.23.0+dfsg-
debian 14	golang-golang-x-net	>=0 <1:0.23.0+dfsg-	1:0.23.0+dfsg-
go	stdlib	>=0 <1.21.9	1.21.9
go	golang.org/x/net/http2	>=0 <0.23.0	0.23.0

1-10 of 21

Aliases

1. CVE-2023-452882. NVD-2023-452883. OSV-DEBIAN-2023-452884. OSV-2023-452885. OSV-GO-2024-26876. GCVE-2023-452887. SECURITY-TRACKER-CVE-2023-45288

References

1. https://github.com/hex0punk/cont-flood-poc2. https://go.dev/cl/5761553. https://go.dev/issue/650514. https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M5. https://lists.fedoraproject.org/archives/list/[email protected]/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT6. https://nowotarski.info/http2-continuation-flood-technical-details7. https://pkg.go.dev/vuln/GO-2024-26878. https://security.netapp.com/advisory/ntap-20240419-00099. https://www.kb.cert.org/vuls/id/42164410. http://www.openwall.com/lists/oss-security/2024/04/03/1611. http://www.openwall.com/lists/oss-security/2024/04/05/4