Bug 2248209 - golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325)
Summary: golang: net/http, x/net/http2: rapid stream resets can cause excessive work (...
Keywords:
Status: NEW
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2248218 2248220 2248221 2248222 2248223 2248224 2248225 2248227 2248228 2248229 2248230 2248231 2248232 2248233 2248235 2248238 2248217 2248219 2248226 2248234 2248236 2248237 2248239 2248240 2248241 2248242 2248243 2248244 2248245 2248246 2248247 2248248 2248249 2248250 2248251 2248252 2248253 2248254 2248255 2248256 2248257 2248258 2248259 2248260 2248261 2248262 2248263 2248264 2248265 2248266 2248267 2248268 2248269 2248270 2248271 2248272 2248273 2248274 2248275 2248276 2248277 2248278 2248279 2248280 2248281 2248282 2248283 2248284 2248285 2248286 2248287 2248288 2248289 2248290 2248291 2248292 2248293 2248294 2248295 2248296 2248297 2248298 2248299 2248300 2248301 2248302 2248303 2248304 2248305 2248306 2248307 2248308 2248309 2248310 2248311 2248312 2248314 2248315 2248316 2248317 2248318 2248319 2248320 2248321 2248322 2248323 2248324 2248325 2248326 2248327 2248328 2248329 2248330 2248331 2248332 2248333 2248334 2248335 2248336 2248337 2248338 2248339 2248340 2248341 2248342 2248343 2248344 2248345 2248346 2248347 2248348 2248349 2248350 2248351 2248352 2248353 2248354 2248355 2248356 2248357 2248358 2248359 2248360 2248361 2248363 2248364 2248366 2248367 2248368 2248369 2248370 2248371 2248372 2248373 2248374 2248375 2248376 2248377 2248378 2248379 2248380 2248381 2248382 2248383 2248384 2248385 2248386 2248387 2248388 2248389 2248390 2248391 2248392 2248393 2248394 2248395 2248396 2248397 2248398 2248399 2248400 2248401 2248402 2248403 2248404 2248405 2248406 2248407 2248408 2248409 2248410 2248411 2248412 2248413 2248414 2248415 2248416 2248417
Blocks: 2243139
TreeView+ depends on / blocked
 
Reported: 2023-11-06 20:42 UTC by Zack Miele
Modified: 2023-11-06 22:02 UTC (History)
0 users

Fixed In Version: golang 1.21.3, golang 1.20.10
Doc Type: ---
Doc Text:
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Zack Miele 2023-11-06 20:42:51 UTC
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

This CVE is specific to golang, but is also tracked as CVE-2023-44487.

This flaw is a duplicate of 2243296. Please reference that BZ for the most up to date information.

Comment 2 Zack Miele 2023-11-06 21:38:10 UTC
Created aerc tracking bugs for this issue:

Affects: fedora-all [bug 2248239]


Created apptainer tracking bugs for this issue:

Affects: epel-all [bug 2248217]


Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2248218]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2248219]


Created dnscrypt-proxy tracking bugs for this issue:

Affects: epel-all [bug 2248221]


Created dnscrypt-proxy2 tracking bugs for this issue:

Affects: epel-all [bug 2248220]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2248224]


Created golang-github-prometheus-alertmanager tracking bugs for this issue:

Affects: epel-all [bug 2248222]


Created golang-github-prometheus-node-exporter tracking bugs for this issue:

Affects: epel-all [bug 2248223]


Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-all [bug 2248225]


Created golang-x-net tracking bugs for this issue:

Affects: epel-all [bug 2248226]


Created golie tracking bugs for this issue:

Affects: epel-all [bug 2248227]


Created kompose tracking bugs for this issue:

Affects: epel-all [bug 2248228]


Created micro tracking bugs for this issue:

Affects: epel-all [bug 2248229]


Created pack tracking bugs for this issue:

Affects: epel-all [bug 2248230]


Created rclone tracking bugs for this issue:

Affects: epel-all [bug 2248231]


Created reg tracking bugs for this issue:

Affects: epel-all [bug 2248232]


Created restic tracking bugs for this issue:

Affects: epel-all [bug 2248233]


Created singularity-ce tracking bugs for this issue:

Affects: epel-all [bug 2248234]


Created snapd tracking bugs for this issue:

Affects: epel-all [bug 2248235]


Created syncthing tracking bugs for this issue:

Affects: epel-all [bug 2248236]


Created yggdrasil tracking bugs for this issue:

Affects: epel-all [bug 2248237]


Created yubihsm-connector tracking bugs for this issue:

Affects: epel-all [bug 2248238]

Comment 3 Zack Miele 2023-11-06 21:41:03 UTC
Created apache-cloudstack-cloudmonkey tracking bugs for this issue:

Affects: fedora-all [bug 2248240]


Created apptainer tracking bugs for this issue:

Affects: fedora-all [bug 2248241]


Created autorestic tracking bugs for this issue:

Affects: fedora-all [bug 2248242]


Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2248243]


Created butane tracking bugs for this issue:

Affects: fedora-all [bug 2248244]


Created caddy tracking bugs for this issue:

Affects: fedora-all [bug 2248245]


Created cadvisor tracking bugs for this issue:

Affects: fedora-all [bug 2248246]


Created clash tracking bugs for this issue:

Affects: fedora-all [bug 2248247]


Created conmon tracking bugs for this issue:

Affects: fedora-all [bug 2248248]


Created containerd tracking bugs for this issue:

Affects: fedora-all [bug 2248249]


Created containernetworking-plugins tracking bugs for this issue:

Affects: fedora-all [bug 2248250]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2248259]


Created cri-o:1.21/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248251]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2248252]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2248253]


Created cri-o:1.25/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248254]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2248255]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248256]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2248257]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248258]


Created cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248260]


Created delve tracking bugs for this issue:

Affects: fedora-all [bug 2248261]


Created direnv tracking bugs for this issue:

Affects: fedora-all [bug 2248262]


Created dnscrypt-proxy tracking bugs for this issue:

Affects: fedora-all [bug 2248263]

Comment 4 Zack Miele 2023-11-06 21:45:35 UTC
Created dnsx tracking bugs for this issue:

Affects: fedora-all [bug 2248264]


Created doctl tracking bugs for this issue:

Affects: fedora-all [bug 2248265]


Created etcd tracking bugs for this issue:

Affects: fedora-all [bug 2248266]


Created exercism tracking bugs for this issue:

Affects: fedora-all [bug 2248267]


Created ffuf tracking bugs for this issue:

Affects: fedora-all [bug 2248268]


Created geoipupdate tracking bugs for this issue:

Affects: fedora-all [bug 2248269]


Created gh tracking bugs for this issue:

Affects: fedora-all [bug 2248270]


Created git-credential-azure tracking bugs for this issue:

Affects: fedora-all [bug 2248271]


Created git-credential-oauth tracking bugs for this issue:

Affects: fedora-all [bug 2248272]


Created git-lfs tracking bugs for this issue:

Affects: fedora-all [bug 2248273]


Created gitjacker tracking bugs for this issue:

Affects: fedora-all [bug 2248274]


Created gitleaks tracking bugs for this issue:

Affects: fedora-all [bug 2248275]


Created gmailctl tracking bugs for this issue:

Affects: fedora-all [bug 2248276]


Created gobuster tracking bugs for this issue:

Affects: fedora-all [bug 2248277]


Created golang-github-aliyun-cli tracking bugs for this issue:

Affects: fedora-all [bug 2248278]


Created golang-github-aws-sdk-2-0.24 tracking bugs for this issue:

Affects: fedora-all [bug 2248279]


Created golang-github-bobesa-domain-util tracking bugs for this issue:

Affects: fedora-all [bug 2248280]


Created golang-github-cheekybits-genny tracking bugs for this issue:

Affects: fedora-all [bug 2248281]


Created golang-github-chromedp tracking bugs for this issue:

Affects: fedora-all [bug 2248282]


Created golang-github-cloudflare-cfssl tracking bugs for this issue:

Affects: fedora-all [bug 2248283]


Created golang-github-cockroachdb-pebble tracking bugs for this issue:

Affects: fedora-all [bug 2248284]


Created golang-github-containerd-fuse-overlayfs-snapshotter tracking bugs for this issue:

Affects: fedora-all [bug 2248285]


Created golang-github-cosmos72-gomacro tracking bugs for this issue:

Affects: fedora-all [bug 2248286]


Created golang-github-cucumber-godog tracking bugs for this issue:

Affects: fedora-all [bug 2248287]


Created golang-github-deepmap-oapi-codegen tracking bugs for this issue:

Affects: fedora-all [bug 2248288]


Created golang-github-deislabs-oras tracking bugs for this issue:

Affects: fedora-all [bug 2248289]


Created golang-github-docker-slim tracking bugs for this issue:

Affects: fedora-all [bug 2248290]


Created golang-github-eclipse-paho-mqtt tracking bugs for this issue:

Affects: fedora-all [bug 2248291]


Created golang-github-envoyproxy-protoc-gen-validate tracking bugs for this issue:

Affects: fedora-all [bug 2248292]


Created golang-github-evanw-esbuild tracking bugs for this issue:

Affects: fedora-all [bug 2248293]


Created golang-github-facebook-time tracking bugs for this issue:

Affects: fedora-all [bug 2248294]


Created golang-github-francoispqt-gojay tracking bugs for this issue:

Affects: fedora-all [bug 2248295]


Created golang-github-gobwas-ws tracking bugs for this issue:

Affects: fedora-all [bug 2248296]


Created golang-github-google-dap tracking bugs for this issue:

Affects: fedora-all [bug 2248297]


Created golang-github-google-pprof tracking bugs for this issue:

Affects: fedora-all [bug 2248298]


Created golang-github-googleapis-gnostic tracking bugs for this issue:

Affects: fedora-all [bug 2248300]


Created golang-github-googleapis-gnostic-0.4 tracking bugs for this issue:

Affects: fedora-all [bug 2248299]


Created golang-github-googlecloudplatform-cloudsql-proxy tracking bugs for this issue:

Affects: fedora-all [bug 2248301]


Created golang-github-grpc-ecosystem-gateway tracking bugs for this issue:

Affects: fedora-all [bug 2248302]


Created golang-github-haproxytech-dataplaneapi tracking bugs for this issue:

Affects: fedora-all [bug 2248303]


Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-all [bug 2248304]


Created golang-github-hashicorp-msgpack tracking bugs for this issue:

Affects: fedora-all [bug 2248305]


Created golang-github-hub tracking bugs for this issue:

Affects: fedora-all [bug 2248306]


Created golang-github-instrumenta-kubeval tracking bugs for this issue:

Affects: fedora-all [bug 2248307]


Created golang-github-jsonnet-bundler tracking bugs for this issue:

Affects: fedora-all [bug 2248308]


Created golang-github-ledisdb tracking bugs for this issue:

Affects: fedora-all [bug 2248309]


Created golang-github-letsencrypt-pebble tracking bugs for this issue:

Affects: fedora-all [bug 2248310]


Created golang-github-liamg-scout tracking bugs for this issue:

Affects: fedora-all [bug 2248311]


Created golang-github-mailru-easyjson tracking bugs for this issue:

Affects: fedora-all [bug 2248312]

Comment 5 Zack Miele 2023-11-06 21:53:18 UTC
Created golang-github-maruel-panicparse tracking bugs for this issue:

Affects: fedora-all [bug 2248314]


Created golang-github-mholt-certmagic-0.8 tracking bugs for this issue:

Affects: fedora-all [bug 2248315]


Created golang-github-moby-swarmkit-2 tracking bugs for this issue:

Affects: fedora-all [bug 2248316]


Created golang-github-mock tracking bugs for this issue:

Affects: fedora-all [bug 2248317]


Created golang-github-nats-io-streaming-server tracking bugs for this issue:

Affects: fedora-all [bug 2248318]


Created golang-github-niklasfasching-org tracking bugs for this issue:

Affects: fedora-all [bug 2248319]


Created golang-github-onsi-ginkgo-2 tracking bugs for this issue:

Affects: fedora-all [bug 2248320]


Created golang-github-opencontainers-runtime-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248321]


Created golang-github-openprinting-ipp-usb tracking bugs for this issue:

Affects: fedora-all [bug 2248322]


Created golang-github-pact-foundation tracking bugs for this issue:

Affects: fedora-all [bug 2248323]


Created golang-github-path-network-mmproxy tracking bugs for this issue:

Affects: fedora-all [bug 2248324]


Created golang-github-pelletier-toml tracking bugs for this issue:

Affects: fedora-all [bug 2248326]


Created golang-github-pelletier-toml-2 tracking bugs for this issue:

Affects: fedora-all [bug 2248325]


Created golang-github-pgaskin-koboutils tracking bugs for this issue:

Affects: fedora-all [bug 2248327]


Created golang-github-projectdiscovery-chaos-client tracking bugs for this issue:

Affects: fedora-all [bug 2248328]


Created golang-github-prometheus-alertmanager tracking bugs for this issue:

Affects: fedora-all [bug 2248329]


Created golang-github-prometheus-client-0.9 tracking bugs for this issue:

Affects: fedora-all [bug 2248330]


Created golang-github-prometheus-prom2json tracking bugs for this issue:

Affects: fedora-all [bug 2248331]


Created golang-github-quay-clair-4 tracking bugs for this issue:

Affects: fedora-all [bug 2248332]


Created golang-github-quay-claircore tracking bugs for this issue:

Affects: fedora-all [bug 2248333]


Created golang-github-rogpeppe-internal tracking bugs for this issue:

Affects: fedora-all [bug 2248334]


Created golang-github-rubenv-sql-migrate tracking bugs for this issue:

Affects: fedora-all [bug 2248335]


Created golang-github-schollz-croc tracking bugs for this issue:

Affects: fedora-all [bug 2248336]


Created golang-github-shopify-sarama tracking bugs for this issue:

Affects: fedora-all [bug 2248337]


Created golang-github-skynetservices-skydns tracking bugs for this issue:

Affects: fedora-all [bug 2248338]


Created golang-github-task tracking bugs for this issue:

Affects: fedora-all [bug 2248339]


Created golang-github-tdewolff-minify tracking bugs for this issue:

Affects: fedora-all [bug 2248340]


Created golang-github-temoto-robotstxt tracking bugs for this issue:

Affects: fedora-all [bug 2248341]


Created golang-github-tenox7-wrp tracking bugs for this issue:

Affects: fedora-all [bug 2248342]


Created golang-github-valyala-fasthttp tracking bugs for this issue:

Affects: fedora-all [bug 2248343]


Created golang-github-zmap-zcertificate tracking bugs for this issue:

Affects: fedora-all [bug 2248344]


Created golang-github-zmap-zlint tracking bugs for this issue:

Affects: fedora-all [bug 2248345]


Created golang-google-grpc tracking bugs for this issue:

Affects: fedora-all [bug 2248346]


Created golang-gopkg-src-d-git-4 tracking bugs for this issue:

Affects: fedora-all [bug 2248347]


Created golang-gvisor tracking bugs for this issue:

Affects: fedora-all [bug 2248348]


Created golang-helm-3 tracking bugs for this issue:

Affects: fedora-all [bug 2248349]


Created golang-honnef-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248350]


Created golang-k8s-apiextensions-apiserver tracking bugs for this issue:

Affects: fedora-all [bug 2248351]


Created golang-k8s-code-generator tracking bugs for this issue:

Affects: fedora-all [bug 2248352]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-all [bug 2248353]


Created golang-k8s-kube-openapi tracking bugs for this issue:

Affects: fedora-all [bug 2248354]


Created golang-k8s-pod-security-admission tracking bugs for this issue:

Affects: fedora-all [bug 2248355]


Created golang-k8s-sample-apiserver tracking bugs for this issue:

Affects: fedora-all [bug 2248356]


Created golang-k8s-sample-controller tracking bugs for this issue:

Affects: fedora-all [bug 2248357]


Created golang-mongodb-mongo-driver tracking bugs for this issue:

Affects: fedora-all [bug 2248358]


Created golang-opentelemetry-contrib-0.20 tracking bugs for this issue:

Affects: fedora-all [bug 2248359]


Created golang-oras tracking bugs for this issue:

Affects: fedora-all [bug 2248360]


Created golang-sigs-k8s-application tracking bugs for this issue:

Affects: fedora-all [bug 2248361]


Created golang-sigs-k8s-aws-iam-authenticator tracking bugs for this issue:

Affects: fedora-all [bug 2248363]


Created golang-sr-emersion-gqlclient tracking bugs for this issue:

Affects: fedora-all [bug 2248364]

Comment 6 Zack Miele 2023-11-06 21:59:46 UTC
Created OliveTin tracking bugs for this issue:

Affects: fedora-all [bug 2248396]


Created golang-storj-drpc tracking bugs for this issue:

Affects: fedora-all [bug 2248366]


Created golang-uber-mock tracking bugs for this issue:

Affects: fedora-all [bug 2248367]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2248368]


Created golang-x-mobile tracking bugs for this issue:

Affects: fedora-all [bug 2248369]


Created golang-x-mod tracking bugs for this issue:

Affects: fedora-all [bug 2248370]


Created golang-x-net tracking bugs for this issue:

Affects: fedora-all [bug 2248371]


Created golang-x-perf tracking bugs for this issue:

Affects: fedora-all [bug 2248372]


Created golang-x-text tracking bugs for this issue:

Affects: fedora-all [bug 2248373]


Created golang-x-tools tracking bugs for this issue:

Affects: fedora-all [bug 2248374]


Created golie tracking bugs for this issue:

Affects: fedora-all [bug 2248375]


Created google-guest-agent tracking bugs for this issue:

Affects: fedora-all [bug 2248376]


Created google-osconfig-agent tracking bugs for this issue:

Affects: fedora-all [bug 2248377]


Created gopass tracking bugs for this issue:

Affects: fedora-all [bug 2248380]


Created gopass-hibp tracking bugs for this issue:

Affects: fedora-all [bug 2248378]


Created gopass-jsonapi tracking bugs for this issue:

Affects: fedora-all [bug 2248379]


Created grafana tracking bugs for this issue:

Affects: fedora-all [bug 2248382]


Created grafana-pcp tracking bugs for this issue:

Affects: fedora-all [bug 2248381]


Created grpcurl tracking bugs for this issue:

Affects: fedora-all [bug 2248383]


Created gvisor-tap-vsock tracking bugs for this issue:

Affects: fedora-all [bug 2248384]


Created hcloud tracking bugs for this issue:

Affects: fedora-all [bug 2248385]


Created htmltest tracking bugs for this issue:

Affects: fedora-all [bug 2248386]


Created hugo tracking bugs for this issue:

Affects: fedora-all [bug 2248387]


Created hut tracking bugs for this issue:

Affects: fedora-all [bug 2248388]


Created ignition tracking bugs for this issue:

Affects: fedora-all [bug 2248389]


Created kitty tracking bugs for this issue:

Affects: fedora-all [bug 2248390]


Created micro tracking bugs for this issue:

Affects: fedora-all [bug 2248391]


Created migrate tracking bugs for this issue:

Affects: fedora-all [bug 2248392]


Created mqttcli tracking bugs for this issue:

Affects: fedora-all [bug 2248393]


Created nats-server tracking bugs for this issue:

Affects: fedora-all [bug 2248394]


Created nebula tracking bugs for this issue:

Affects: fedora-all [bug 2248395]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2248397]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2248398]


Created pack tracking bugs for this issue:

Affects: fedora-all [bug 2248399]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2248401]


Created podman-tui tracking bugs for this issue:

Affects: fedora-all [bug 2248400]


Created prometheus-podman-exporter tracking bugs for this issue:

Affects: fedora-all [bug 2248402]


Created rclone tracking bugs for this issue:

Affects: fedora-all [bug 2248403]


Created reg tracking bugs for this issue:

Affects: fedora-all [bug 2248404]


Created reposurgeon tracking bugs for this issue:

Affects: fedora-all [bug 2248405]


Created restic tracking bugs for this issue:

Affects: fedora-all [bug 2248406]


Created singularity-ce tracking bugs for this issue:

Affects: fedora-all [bug 2248407]


Created skopeo tracking bugs for this issue:

Affects: fedora-all [bug 2248408]


Created snapd tracking bugs for this issue:

Affects: fedora-all [bug 2248409]


Created stargz-snapshotter tracking bugs for this issue:

Affects: fedora-all [bug 2248410]


Created suseconnect-ng tracking bugs for this issue:

Affects: fedora-all [bug 2248411]

Comment 7 Zack Miele 2023-11-06 22:00:59 UTC
Created syncthing tracking bugs for this issue:

Affects: fedora-all [bug 2248412]


Created tinygo tracking bugs for this issue:

Affects: fedora-all [bug 2248413]


Created vultr-cli tracking bugs for this issue:

Affects: fedora-all [bug 2248414]


Created xq tracking bugs for this issue:

Affects: fedora-all [bug 2248415]


Created yggdrasil tracking bugs for this issue:

Affects: fedora-all [bug 2248416]


Created yubihsm-connector tracking bugs for this issue:

Affects: fedora-all [bug 2248417]


Note You need to log in before you can comment on or make changes to this bug.