A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
https://pkg.go.dev/golang.org/x/net?tab=versions Is it accurate to say that anything that has rebased golang x/net to >= 0.22.0 resolves this issue?
(In reply to Lon Hohberger from comment #6) > https://pkg.go.dev/golang.org/x/net?tab=versions > > Is it accurate to say that anything that has rebased golang x/net to >= > 0.22.0 resolves this issue? The history log for this bug states that it is a RedHat-specific CVE related to CVE-2023-39325, which was fixed in golang.org/x/net/http2 v0.17.0. See here: https://pkg.go.dev/vuln/GO-2023-2102 The history log goes on to say, "Red Hat has come to the conclusion that this CVE is not needed", so it seems (to me) that it can be ignored, provided you are at at least these Go versions: - go1.20.10 (net/http) - go1.21.3 (net/http) - golang.org/x/net/http2.0 Of course you also need golang.org/x/net/http2.0 or later to avoid CVE-2023-45288, and go1.22.5 or later to avoid CVE-2024-24791.
This issue has been addressed in the following products: RHODF-4.16-RHEL-9 Via RHSA-2024:6755 https://access.redhat.com/errata/RHSA-2024:6755