Bug 2248209

Summary:	golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325)
Product:	[Other] Security Response	Reporter:	Zack Miele <zmiele>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	Keywords:	Security
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	golang 1.21.3, golang 1.20.10	Doc Type:	---
Doc Text:	A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2248218, 2248220, 2248221, 2248222, 2248223, 2248224, 2248225, 2248227, 2248228, 2248229, 2248230, 2248231, 2248232, 2248233, 2248235, 2248238, 2248217, 2248219, 2248226, 2248234, 2248236, 2248237, 2248239, 2248240, 2248241, 2248242, 2248243, 2248244, 2248245, 2248246, 2248247, 2248248, 2248249, 2248250, 2248251, 2248252, 2248253, 2248254, 2248255, 2248256, 2248257, 2248258, 2248259, 2248260, 2248261, 2248262, 2248263, 2248264, 2248265, 2248266, 2248267, 2248268, 2248269, 2248270, 2248271, 2248272, 2248273, 2248274, 2248275, 2248276, 2248277, 2248278, 2248279, 2248280, 2248281, 2248282, 2248283, 2248284, 2248285, 2248286, 2248287, 2248288, 2248289, 2248290, 2248291, 2248292, 2248293, 2248294, 2248295, 2248296, 2248297, 2248298, 2248299, 2248300, 2248301, 2248302, 2248303, 2248304, 2248305, 2248306, 2248307, 2248308, 2248309, 2248310, 2248311, 2248312, 2248314, 2248315, 2248316, 2248317, 2248318, 2248319, 2248320, 2248321, 2248322, 2248323, 2248324, 2248325, 2248326, 2248327, 2248328, 2248329, 2248330, 2248331, 2248332, 2248333, 2248334, 2248335, 2248336, 2248337, 2248338, 2248339, 2248340, 2248341, 2248342, 2248343, 2248344, 2248345, 2248346, 2248347, 2248348, 2248349, 2248350, 2248351, 2248352, 2248353, 2248354, 2248355, 2248356, 2248357, 2248358, 2248359, 2248360, 2248361, 2248363, 2248364, 2248366, 2248367, 2248368, 2248369, 2248370, 2248371, 2248372, 2248373, 2248374, 2248375, 2248376, 2248377, 2248378, 2248379, 2248380, 2248381, 2248382, 2248383, 2248384, 2248385, 2248386, 2248387, 2248388, 2248389, 2248390, 2248391, 2248392, 2248393, 2248394, 2248395, 2248396, 2248397, 2248398, 2248399, 2248400, 2248401, 2248402, 2248403, 2248404, 2248405, 2248406, 2248407, 2248408, 2248409, 2248410, 2248411, 2248412, 2248413, 2248414, 2248415, 2248416, 2248417
Bug Blocks:	2243139

Description Zack Miele 2023-11-06 20:42:51 UTC

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

This CVE is specific to golang, but is also tracked as CVE-2023-44487.

This flaw is a duplicate of 2243296. Please reference that BZ for the most up to date information.

Comment 2 Zack Miele 2023-11-06 21:38:10 UTC

Created aerc tracking bugs for this issue:

Affects: fedora-all [bug 2248239]


Created apptainer tracking bugs for this issue:

Affects: epel-all [bug 2248217]


Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2248218]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2248219]


Created dnscrypt-proxy tracking bugs for this issue:

Affects: epel-all [bug 2248221]


Created dnscrypt-proxy2 tracking bugs for this issue:

Affects: epel-all [bug 2248220]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2248224]


Created golang-github-prometheus-alertmanager tracking bugs for this issue:

Affects: epel-all [bug 2248222]


Created golang-github-prometheus-node-exporter tracking bugs for this issue:

Affects: epel-all [bug 2248223]


Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-all [bug 2248225]


Created golang-x-net tracking bugs for this issue:

Affects: epel-all [bug 2248226]


Created golie tracking bugs for this issue:

Affects: epel-all [bug 2248227]


Created kompose tracking bugs for this issue:

Affects: epel-all [bug 2248228]


Created micro tracking bugs for this issue:

Affects: epel-all [bug 2248229]


Created pack tracking bugs for this issue:

Affects: epel-all [bug 2248230]


Created rclone tracking bugs for this issue:

Affects: epel-all [bug 2248231]


Created reg tracking bugs for this issue:

Affects: epel-all [bug 2248232]


Created restic tracking bugs for this issue:

Affects: epel-all [bug 2248233]


Created singularity-ce tracking bugs for this issue:

Affects: epel-all [bug 2248234]


Created snapd tracking bugs for this issue:

Affects: epel-all [bug 2248235]


Created syncthing tracking bugs for this issue:

Affects: epel-all [bug 2248236]


Created yggdrasil tracking bugs for this issue:

Affects: epel-all [bug 2248237]


Created yubihsm-connector tracking bugs for this issue:

Affects: epel-all [bug 2248238]

Comment 3 Zack Miele 2023-11-06 21:41:03 UTC

Created apache-cloudstack-cloudmonkey tracking bugs for this issue:

Affects: fedora-all [bug 2248240]


Created apptainer tracking bugs for this issue:

Affects: fedora-all [bug 2248241]


Created autorestic tracking bugs for this issue:

Affects: fedora-all [bug 2248242]


Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2248243]


Created butane tracking bugs for this issue:

Affects: fedora-all [bug 2248244]


Created caddy tracking bugs for this issue:

Affects: fedora-all [bug 2248245]


Created cadvisor tracking bugs for this issue:

Affects: fedora-all [bug 2248246]


Created clash tracking bugs for this issue:

Affects: fedora-all [bug 2248247]


Created conmon tracking bugs for this issue:

Affects: fedora-all [bug 2248248]


Created containerd tracking bugs for this issue:

Affects: fedora-all [bug 2248249]


Created containernetworking-plugins tracking bugs for this issue:

Affects: fedora-all [bug 2248250]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2248259]


Created cri-o:1.21/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248251]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2248252]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2248253]


Created cri-o:1.25/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248254]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2248255]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248256]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2248257]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248258]


Created cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248260]


Created delve tracking bugs for this issue:

Affects: fedora-all [bug 2248261]


Created direnv tracking bugs for this issue:

Affects: fedora-all [bug 2248262]


Created dnscrypt-proxy tracking bugs for this issue:

Affects: fedora-all [bug 2248263]

Comment 4 Zack Miele 2023-11-06 21:45:35 UTC

Created dnsx tracking bugs for this issue:

Affects: fedora-all [bug 2248264]


Created doctl tracking bugs for this issue:

Affects: fedora-all [bug 2248265]


Created etcd tracking bugs for this issue:

Affects: fedora-all [bug 2248266]


Created exercism tracking bugs for this issue:

Affects: fedora-all [bug 2248267]


Created ffuf tracking bugs for this issue:

Affects: fedora-all [bug 2248268]


Created geoipupdate tracking bugs for this issue:

Affects: fedora-all [bug 2248269]


Created gh tracking bugs for this issue:

Affects: fedora-all [bug 2248270]


Created git-credential-azure tracking bugs for this issue:

Affects: fedora-all [bug 2248271]


Created git-credential-oauth tracking bugs for this issue:

Affects: fedora-all [bug 2248272]


Created git-lfs tracking bugs for this issue:

Affects: fedora-all [bug 2248273]


Created gitjacker tracking bugs for this issue:

Affects: fedora-all [bug 2248274]


Created gitleaks tracking bugs for this issue:

Affects: fedora-all [bug 2248275]


Created gmailctl tracking bugs for this issue:

Affects: fedora-all [bug 2248276]


Created gobuster tracking bugs for this issue:

Affects: fedora-all [bug 2248277]


Created golang-github-aliyun-cli tracking bugs for this issue:

Affects: fedora-all [bug 2248278]


Created golang-github-aws-sdk-2-0.24 tracking bugs for this issue:

Affects: fedora-all [bug 2248279]


Created golang-github-bobesa-domain-util tracking bugs for this issue:

Affects: fedora-all [bug 2248280]


Created golang-github-cheekybits-genny tracking bugs for this issue:

Affects: fedora-all [bug 2248281]


Created golang-github-chromedp tracking bugs for this issue:

Affects: fedora-all [bug 2248282]


Created golang-github-cloudflare-cfssl tracking bugs for this issue:

Affects: fedora-all [bug 2248283]


Created golang-github-cockroachdb-pebble tracking bugs for this issue:

Affects: fedora-all [bug 2248284]


Created golang-github-containerd-fuse-overlayfs-snapshotter tracking bugs for this issue:

Affects: fedora-all [bug 2248285]


Created golang-github-cosmos72-gomacro tracking bugs for this issue:

Affects: fedora-all [bug 2248286]


Created golang-github-cucumber-godog tracking bugs for this issue:

Affects: fedora-all [bug 2248287]


Created golang-github-deepmap-oapi-codegen tracking bugs for this issue:

Affects: fedora-all [bug 2248288]


Created golang-github-deislabs-oras tracking bugs for this issue:

Affects: fedora-all [bug 2248289]


Created golang-github-docker-slim tracking bugs for this issue:

Affects: fedora-all [bug 2248290]


Created golang-github-eclipse-paho-mqtt tracking bugs for this issue:

Affects: fedora-all [bug 2248291]


Created golang-github-envoyproxy-protoc-gen-validate tracking bugs for this issue:

Affects: fedora-all [bug 2248292]


Created golang-github-evanw-esbuild tracking bugs for this issue:

Affects: fedora-all [bug 2248293]


Created golang-github-facebook-time tracking bugs for this issue:

Affects: fedora-all [bug 2248294]


Created golang-github-francoispqt-gojay tracking bugs for this issue:

Affects: fedora-all [bug 2248295]


Created golang-github-gobwas-ws tracking bugs for this issue:

Affects: fedora-all [bug 2248296]


Created golang-github-google-dap tracking bugs for this issue:

Affects: fedora-all [bug 2248297]


Created golang-github-google-pprof tracking bugs for this issue:

Affects: fedora-all [bug 2248298]


Created golang-github-googleapis-gnostic tracking bugs for this issue:

Affects: fedora-all [bug 2248300]


Created golang-github-googleapis-gnostic-0.4 tracking bugs for this issue:

Affects: fedora-all [bug 2248299]


Created golang-github-googlecloudplatform-cloudsql-proxy tracking bugs for this issue:

Affects: fedora-all [bug 2248301]


Created golang-github-grpc-ecosystem-gateway tracking bugs for this issue:

Affects: fedora-all [bug 2248302]


Created golang-github-haproxytech-dataplaneapi tracking bugs for this issue:

Affects: fedora-all [bug 2248303]


Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-all [bug 2248304]


Created golang-github-hashicorp-msgpack tracking bugs for this issue:

Affects: fedora-all [bug 2248305]


Created golang-github-hub tracking bugs for this issue:

Affects: fedora-all [bug 2248306]


Created golang-github-instrumenta-kubeval tracking bugs for this issue:

Affects: fedora-all [bug 2248307]


Created golang-github-jsonnet-bundler tracking bugs for this issue:

Affects: fedora-all [bug 2248308]


Created golang-github-ledisdb tracking bugs for this issue:

Affects: fedora-all [bug 2248309]


Created golang-github-letsencrypt-pebble tracking bugs for this issue:

Affects: fedora-all [bug 2248310]


Created golang-github-liamg-scout tracking bugs for this issue:

Affects: fedora-all [bug 2248311]


Created golang-github-mailru-easyjson tracking bugs for this issue:

Affects: fedora-all [bug 2248312]

Comment 5 Zack Miele 2023-11-06 21:53:18 UTC

Created golang-github-maruel-panicparse tracking bugs for this issue:

Affects: fedora-all [bug 2248314]


Created golang-github-mholt-certmagic-0.8 tracking bugs for this issue:

Affects: fedora-all [bug 2248315]


Created golang-github-moby-swarmkit-2 tracking bugs for this issue:

Affects: fedora-all [bug 2248316]


Created golang-github-mock tracking bugs for this issue:

Affects: fedora-all [bug 2248317]


Created golang-github-nats-io-streaming-server tracking bugs for this issue:

Affects: fedora-all [bug 2248318]


Created golang-github-niklasfasching-org tracking bugs for this issue:

Affects: fedora-all [bug 2248319]


Created golang-github-onsi-ginkgo-2 tracking bugs for this issue:

Affects: fedora-all [bug 2248320]


Created golang-github-opencontainers-runtime-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248321]


Created golang-github-openprinting-ipp-usb tracking bugs for this issue:

Affects: fedora-all [bug 2248322]


Created golang-github-pact-foundation tracking bugs for this issue:

Affects: fedora-all [bug 2248323]


Created golang-github-path-network-mmproxy tracking bugs for this issue:

Affects: fedora-all [bug 2248324]


Created golang-github-pelletier-toml tracking bugs for this issue:

Affects: fedora-all [bug 2248326]


Created golang-github-pelletier-toml-2 tracking bugs for this issue:

Affects: fedora-all [bug 2248325]


Created golang-github-pgaskin-koboutils tracking bugs for this issue:

Affects: fedora-all [bug 2248327]


Created golang-github-projectdiscovery-chaos-client tracking bugs for this issue:

Affects: fedora-all [bug 2248328]


Created golang-github-prometheus-alertmanager tracking bugs for this issue:

Affects: fedora-all [bug 2248329]


Created golang-github-prometheus-client-0.9 tracking bugs for this issue:

Affects: fedora-all [bug 2248330]


Created golang-github-prometheus-prom2json tracking bugs for this issue:

Affects: fedora-all [bug 2248331]


Created golang-github-quay-clair-4 tracking bugs for this issue:

Affects: fedora-all [bug 2248332]


Created golang-github-quay-claircore tracking bugs for this issue:

Affects: fedora-all [bug 2248333]


Created golang-github-rogpeppe-internal tracking bugs for this issue:

Affects: fedora-all [bug 2248334]


Created golang-github-rubenv-sql-migrate tracking bugs for this issue:

Affects: fedora-all [bug 2248335]


Created golang-github-schollz-croc tracking bugs for this issue:

Affects: fedora-all [bug 2248336]


Created golang-github-shopify-sarama tracking bugs for this issue:

Affects: fedora-all [bug 2248337]


Created golang-github-skynetservices-skydns tracking bugs for this issue:

Affects: fedora-all [bug 2248338]


Created golang-github-task tracking bugs for this issue:

Affects: fedora-all [bug 2248339]


Created golang-github-tdewolff-minify tracking bugs for this issue:

Affects: fedora-all [bug 2248340]


Created golang-github-temoto-robotstxt tracking bugs for this issue:

Affects: fedora-all [bug 2248341]


Created golang-github-tenox7-wrp tracking bugs for this issue:

Affects: fedora-all [bug 2248342]


Created golang-github-valyala-fasthttp tracking bugs for this issue:

Affects: fedora-all [bug 2248343]


Created golang-github-zmap-zcertificate tracking bugs for this issue:

Affects: fedora-all [bug 2248344]


Created golang-github-zmap-zlint tracking bugs for this issue:

Affects: fedora-all [bug 2248345]


Created golang-google-grpc tracking bugs for this issue:

Affects: fedora-all [bug 2248346]


Created golang-gopkg-src-d-git-4 tracking bugs for this issue:

Affects: fedora-all [bug 2248347]


Created golang-gvisor tracking bugs for this issue:

Affects: fedora-all [bug 2248348]


Created golang-helm-3 tracking bugs for this issue:

Affects: fedora-all [bug 2248349]


Created golang-honnef-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248350]


Created golang-k8s-apiextensions-apiserver tracking bugs for this issue:

Affects: fedora-all [bug 2248351]


Created golang-k8s-code-generator tracking bugs for this issue:

Affects: fedora-all [bug 2248352]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-all [bug 2248353]


Created golang-k8s-kube-openapi tracking bugs for this issue:

Affects: fedora-all [bug 2248354]


Created golang-k8s-pod-security-admission tracking bugs for this issue:

Affects: fedora-all [bug 2248355]


Created golang-k8s-sample-apiserver tracking bugs for this issue:

Affects: fedora-all [bug 2248356]


Created golang-k8s-sample-controller tracking bugs for this issue:

Affects: fedora-all [bug 2248357]


Created golang-mongodb-mongo-driver tracking bugs for this issue:

Affects: fedora-all [bug 2248358]


Created golang-opentelemetry-contrib-0.20 tracking bugs for this issue:

Affects: fedora-all [bug 2248359]


Created golang-oras tracking bugs for this issue:

Affects: fedora-all [bug 2248360]


Created golang-sigs-k8s-application tracking bugs for this issue:

Affects: fedora-all [bug 2248361]


Created golang-sigs-k8s-aws-iam-authenticator tracking bugs for this issue:

Affects: fedora-all [bug 2248363]


Created golang-sr-emersion-gqlclient tracking bugs for this issue:

Affects: fedora-all [bug 2248364]

Comment 6 Zack Miele 2023-11-06 21:59:46 UTC

Created OliveTin tracking bugs for this issue:

Affects: fedora-all [bug 2248396]


Created golang-storj-drpc tracking bugs for this issue:

Affects: fedora-all [bug 2248366]


Created golang-uber-mock tracking bugs for this issue:

Affects: fedora-all [bug 2248367]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2248368]


Created golang-x-mobile tracking bugs for this issue:

Affects: fedora-all [bug 2248369]


Created golang-x-mod tracking bugs for this issue:

Affects: fedora-all [bug 2248370]


Created golang-x-net tracking bugs for this issue:

Affects: fedora-all [bug 2248371]


Created golang-x-perf tracking bugs for this issue:

Affects: fedora-all [bug 2248372]


Created golang-x-text tracking bugs for this issue:

Affects: fedora-all [bug 2248373]


Created golang-x-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248374]


Created golie tracking bugs for this issue:

Affects: fedora-all [bug 2248375]


Created google-guest-agent tracking bugs for this issue:

Affects: fedora-all [bug 2248376]


Created google-osconfig-agent tracking bugs for this issue:

Affects: fedora-all [bug 2248377]


Created gopass tracking bugs for this issue:

Affects: fedora-all [bug 2248380]


Created gopass-hibp tracking bugs for this issue:

Affects: fedora-all [bug 2248378]


Created gopass-jsonapi tracking bugs for this issue:

Affects: fedora-all [bug 2248379]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2248382]


Created grafana-pcp tracking bugs for this issue:

Affects: fedora-all [bug 2248381]


Created grpcurl tracking bugs for this issue:

Affects: fedora-all [bug 2248383]


Created gvisor-tap-vsock tracking bugs for this issue:

Affects: fedora-all [bug 2248384]


Created hcloud tracking bugs for this issue:

Affects: fedora-all [bug 2248385]


Created htmltest tracking bugs for this issue:

Affects: fedora-all [bug 2248386]


Created hugo tracking bugs for this issue:

Affects: fedora-all [bug 2248387]


Created hut tracking bugs for this issue:

Affects: fedora-all [bug 2248388]


Created ignition tracking bugs for this issue:

Affects: fedora-all [bug 2248389]


Created kitty tracking bugs for this issue:

Affects: fedora-all [bug 2248390]


Created micro tracking bugs for this issue:

Affects: fedora-all [bug 2248391]


Created migrate tracking bugs for this issue:

Affects: fedora-all [bug 2248392]


Created mqttcli tracking bugs for this issue:

Affects: fedora-all [bug 2248393]


Created nats-server tracking bugs for this issue:

Affects: fedora-all [bug 2248394]


Created nebula tracking bugs for this issue:

Affects: fedora-all [bug 2248395]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2248397]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2248398]


Created pack tracking bugs for this issue:

Affects: fedora-all [bug 2248399]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2248401]


Created podman-tui tracking bugs for this issue:

Affects: fedora-all [bug 2248400]


Created prometheus-podman-exporter tracking bugs for this issue:

Affects: fedora-all [bug 2248402]


Created rclone tracking bugs for this issue:

Affects: fedora-all [bug 2248403]


Created reg tracking bugs for this issue:

Affects: fedora-all [bug 2248404]


Created reposurgeon tracking bugs for this issue:

Affects: fedora-all [bug 2248405]


Created restic tracking bugs for this issue:

Affects: fedora-all [bug 2248406]


Created singularity-ce tracking bugs for this issue:

Affects: fedora-all [bug 2248407]


Created skopeo tracking bugs for this issue:

Affects: fedora-all [bug 2248408]


Created snapd tracking bugs for this issue:

Affects: fedora-all [bug 2248409]


Created stargz-snapshotter tracking bugs for this issue:

Affects: fedora-all [bug 2248410]


Created suseconnect-ng tracking bugs for this issue:

Affects: fedora-all [bug 2248411]

Comment 7 Zack Miele 2023-11-06 22:00:59 UTC

Created syncthing tracking bugs for this issue:

Affects: fedora-all [bug 2248412]


Created tinygo tracking bugs for this issue:

Affects: fedora-all [bug 2248413]


Created vultr-cli tracking bugs for this issue:

Affects: fedora-all [bug 2248414]


Created xq tracking bugs for this issue:

Affects: fedora-all [bug 2248415]


Created yggdrasil tracking bugs for this issue:

Affects: fedora-all [bug 2248416]


Created yubihsm-connector tracking bugs for this issue:

Affects: fedora-all [bug 2248417]