Bug 2268273 (CVE-2023-45288, VU#421644.3) - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
Summary: CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATIO...
Keywords:
Status: NEW
Alias: CVE-2023-45288, VU#421644.3
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2269415 2269416 2269417 2269419 2269447 2269449 2269451 2269452 2269453 2269454 2269455 2269456 2269457 2269458 2269459 2269853 2276081 2276082 2269450 2269460
Blocks: 2268258
TreeView+ depends on / blocked
 
Reported: 2024-03-06 20:49 UTC by Nick Tait
Modified: 2024-04-30 19:36 UTC (History)
149 users (show)

Fixed In Version: golang 1.22.2, golang 1.21.9, golang.org/x/net 0.23.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial-of-Service (DoS) attack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2000 0 None None None 2024-04-23 15:23:14 UTC
Red Hat Product Errata RHBA-2024:2001 0 None None None 2024-04-23 15:14:20 UTC
Red Hat Product Errata RHSA-2024:1668 0 None None None 2024-04-08 06:25:01 UTC
Red Hat Product Errata RHSA-2024:1679 0 None None None 2024-04-08 06:38:21 UTC
Red Hat Product Errata RHSA-2024:1681 0 None None None 2024-04-08 08:43:59 UTC
Red Hat Product Errata RHSA-2024:1683 0 None None None 2024-04-08 09:52:43 UTC
Red Hat Product Errata RHSA-2024:1892 0 None None None 2024-04-25 19:27:26 UTC
Red Hat Product Errata RHSA-2024:1897 0 None None None 2024-04-26 20:11:21 UTC
Red Hat Product Errata RHSA-2024:1899 0 None None None 2024-04-25 15:43:33 UTC
Red Hat Product Errata RHSA-2024:1962 0 None None None 2024-04-23 00:35:58 UTC
Red Hat Product Errata RHSA-2024:1963 0 None None None 2024-04-23 00:31:53 UTC
Red Hat Product Errata RHSA-2024:2060 0 None None None 2024-04-25 12:15:41 UTC
Red Hat Product Errata RHSA-2024:2062 0 None None None 2024-04-25 14:27:16 UTC
Red Hat Product Errata RHSA-2024:2079 0 None None None 2024-04-29 01:56:47 UTC
Red Hat Product Errata RHSA-2024:2088 0 None None None 2024-04-29 02:27:06 UTC
Red Hat Product Errata RHSA-2024:2562 0 None None None 2024-04-30 14:40:06 UTC
Red Hat Product Errata RHSA-2024:2625 0 None None None 2024-04-30 19:36:37 UTC

Description Nick Tait 2024-03-06 20:49:42 UTC 
This description was provided in the disclosure from VINCE:

The Go packages net/http and golang.org/x/net/http2 packages do not limit the number of CONTINUATION frames read for an HTTP/2 request, which permits an attacker to provide an arbitrarily large set of headers for a single request, that will be read, decoded, and subsequently discarded, which may result in excessive CPU consumption.
Comment 18 Tom Sweeney 2024-03-13 20:30:04 UTC 
Is this http and http2 or http2 only?  The title says HTTP, but the description is all http2.  If it's http2, then it's likely the container tools don't have an issue as we're HTTP based.
Comment 54 errata-xmlrpc 2024-04-08 06:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1668 https://access.redhat.com/errata/RHSA-2024:1668
Comment 55 errata-xmlrpc 2024-04-08 06:38:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1679 https://access.redhat.com/errata/RHSA-2024:1679
Comment 56 errata-xmlrpc 2024-04-08 08:43:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1681 https://access.redhat.com/errata/RHSA-2024:1681
Comment 57 errata-xmlrpc 2024-04-08 09:52:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:1683 https://access.redhat.com/errata/RHSA-2024:1683
Comment 72 Gandhimathy 2024-04-17 11:07:02 UTC 
We are from a product team which provides security fix every month.
The above CVE is reported against RedHat UBI minimal 8.9 level.  And we are expected to fix this by 5th of May.

It is blocking our releases.  Can you please let us now when it will be fixed.

Thanks & Regards,
Gandhi.
IBM MQ Container Security Lead.
Comment 80 errata-xmlrpc 2024-04-23 00:31:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1963 https://access.redhat.com/errata/RHSA-2024:1963
Comment 81 errata-xmlrpc 2024-04-23 00:35:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1962 https://access.redhat.com/errata/RHSA-2024:1962
Comment 87 errata-xmlrpc 2024-04-25 12:15:34 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.14

Via RHSA-2024:2060 https://access.redhat.com/errata/RHSA-2024:2060
Comment 88 errata-xmlrpc 2024-04-25 14:27:10 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2024:2062 https://access.redhat.com/errata/RHSA-2024:2062
Comment 89 errata-xmlrpc 2024-04-25 15:43:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1899 https://access.redhat.com/errata/RHSA-2024:1899
Comment 90 errata-xmlrpc 2024-04-25 19:27:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1892 https://access.redhat.com/errata/RHSA-2024:1892
Comment 91 errata-xmlrpc 2024-04-26 20:11:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1897 https://access.redhat.com/errata/RHSA-2024:1897
Comment 92 errata-xmlrpc 2024-04-29 01:56:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2079 https://access.redhat.com/errata/RHSA-2024:2079
Comment 93 errata-xmlrpc 2024-04-29 02:27:01 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088
Comment 94 errata-xmlrpc 2024-04-30 14:39:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562
Comment 97 errata-xmlrpc 2024-04-30 19:36:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:2625 https://access.redhat.com/errata/RHSA-2024:2625
Note You need to log in before you can comment on or make changes to this bug.