Bug 2268273 (CVE-2023-45288, VU#421644.3) - CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS
Summary: CVE-2023-45288 golang: net/http, x/net/http2: unlimited number of CONTINUATIO...
Keywords:
Status: NEW
Alias: CVE-2023-45288, VU#421644.3
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2269415 2269416 2269417 2269447 2269449 2269451 2269452 2269453 2269454 2269455 2269456 2269457 2269458 2269459 2269853 2276081 2276082 2269419 2269450 2269460
Blocks: 2268258
TreeView+ depends on / blocked
 
Reported: 2024-03-06 20:49 UTC by Nick Tait
Modified: 2024-05-21 09:59 UTC (History)
143 users (show)

Fixed In Version: golang 1.22.2, golang 1.21.9, golang.org/x/net 0.23.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered with the implementation of the HTTP/2 protocol in the Go programming language. There were insufficient limitations on the amount of CONTINUATION frames sent within a single stream. An attacker could potentially exploit this to cause a Denial of Service (DoS) attack.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2000 0 None None None 2024-04-23 15:23:14 UTC
Red Hat Product Errata RHBA-2024:2001 0 None None None 2024-04-23 15:14:20 UTC
Red Hat Product Errata RHBA-2024:2702 0 None None None 2024-05-06 09:27:06 UTC
Red Hat Product Errata RHBA-2024:2713 0 None None None 2024-05-06 15:33:17 UTC
Red Hat Product Errata RHBA-2024:2850 0 None None None 2024-05-15 01:25:43 UTC
Red Hat Product Errata RHSA-2024:1668 0 None None None 2024-04-08 06:25:01 UTC
Red Hat Product Errata RHSA-2024:1679 0 None None None 2024-04-08 06:38:21 UTC
Red Hat Product Errata RHSA-2024:1681 0 None None None 2024-04-08 08:43:59 UTC
Red Hat Product Errata RHSA-2024:1683 0 None None None 2024-04-08 09:52:43 UTC
Red Hat Product Errata RHSA-2024:1892 0 None None None 2024-04-25 19:27:26 UTC
Red Hat Product Errata RHSA-2024:1897 0 None None None 2024-04-26 20:11:21 UTC
Red Hat Product Errata RHSA-2024:1899 0 None None None 2024-04-25 15:43:33 UTC
Red Hat Product Errata RHSA-2024:1962 0 None None None 2024-04-23 00:35:58 UTC
Red Hat Product Errata RHSA-2024:1963 0 None None None 2024-04-23 00:31:53 UTC
Red Hat Product Errata RHSA-2024:2049 0 None None None 2024-05-02 16:56:14 UTC
Red Hat Product Errata RHSA-2024:2060 0 None None None 2024-04-25 12:15:41 UTC
Red Hat Product Errata RHSA-2024:2062 0 None None None 2024-04-25 14:27:16 UTC
Red Hat Product Errata RHSA-2024:2068 0 None None None 2024-05-02 14:23:30 UTC
Red Hat Product Errata RHSA-2024:2079 0 None None None 2024-04-29 01:56:47 UTC
Red Hat Product Errata RHSA-2024:2088 0 None None None 2024-04-29 02:27:06 UTC
Red Hat Product Errata RHSA-2024:2562 0 None None None 2024-04-30 14:40:06 UTC
Red Hat Product Errata RHSA-2024:2625 0 None None None 2024-04-30 19:36:37 UTC
Red Hat Product Errata RHSA-2024:2664 0 None None None 2024-05-09 13:55:36 UTC
Red Hat Product Errata RHSA-2024:2667 0 None None None 2024-05-09 14:35:08 UTC
Red Hat Product Errata RHSA-2024:2668 0 None None None 2024-05-09 16:50:15 UTC
Red Hat Product Errata RHSA-2024:2671 0 None None None 2024-05-09 17:29:28 UTC
Red Hat Product Errata RHSA-2024:2672 0 None None None 2024-05-09 17:13:49 UTC
Red Hat Product Errata RHSA-2024:2699 0 None None None 2024-05-06 06:51:04 UTC
Red Hat Product Errata RHSA-2024:2724 0 None None None 2024-05-07 10:38:53 UTC
Red Hat Product Errata RHSA-2024:2773 0 None None None 2024-05-15 18:44:11 UTC
Red Hat Product Errata RHSA-2024:2782 0 None None None 2024-05-16 18:09:34 UTC
Red Hat Product Errata RHSA-2024:2865 0 None None None 2024-05-21 09:37:56 UTC
Red Hat Product Errata RHSA-2024:2935 0 None None None 2024-05-21 05:14:32 UTC
Red Hat Product Errata RHSA-2024:2936 0 None None None 2024-05-21 05:01:30 UTC
Red Hat Product Errata RHSA-2024:2941 0 None None None 2024-05-21 09:59:08 UTC

Description Nick Tait 2024-03-06 20:49:42 UTC 
This description was provided in the disclosure from VINCE:

The Go packages net/http and golang.org/x/net/http2 packages do not limit the number of CONTINUATION frames read for an HTTP/2 request, which permits an attacker to provide an arbitrarily large set of headers for a single request, that will be read, decoded, and subsequently discarded, which may result in excessive CPU consumption.
Comment 18 Tom Sweeney 2024-03-13 20:30:04 UTC 
Is this http and http2 or http2 only?  The title says HTTP, but the description is all http2.  If it's http2, then it's likely the container tools don't have an issue as we're HTTP based.
Comment 54 errata-xmlrpc 2024-04-08 06:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1668 https://access.redhat.com/errata/RHSA-2024:1668
Comment 55 errata-xmlrpc 2024-04-08 06:38:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1679 https://access.redhat.com/errata/RHSA-2024:1679
Comment 56 errata-xmlrpc 2024-04-08 08:43:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1681 https://access.redhat.com/errata/RHSA-2024:1681
Comment 57 errata-xmlrpc 2024-04-08 09:52:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:1683 https://access.redhat.com/errata/RHSA-2024:1683
Comment 72 Gandhimathy 2024-04-17 11:07:02 UTC 
We are from a product team which provides security fix every month.
The above CVE is reported against RedHat UBI minimal 8.9 level.  And we are expected to fix this by 5th of May.

It is blocking our releases.  Can you please let us now when it will be fixed.

Thanks & Regards,
Gandhi.
IBM MQ Container Security Lead.
Comment 80 errata-xmlrpc 2024-04-23 00:31:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1963 https://access.redhat.com/errata/RHSA-2024:1963
Comment 81 errata-xmlrpc 2024-04-23 00:35:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1962 https://access.redhat.com/errata/RHSA-2024:1962
Comment 87 errata-xmlrpc 2024-04-25 12:15:34 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.14

Via RHSA-2024:2060 https://access.redhat.com/errata/RHSA-2024:2060
Comment 88 errata-xmlrpc 2024-04-25 14:27:10 UTC 
This issue has been addressed in the following products:

  STF-1.5-RHEL-8

Via RHSA-2024:2062 https://access.redhat.com/errata/RHSA-2024:2062
Comment 89 errata-xmlrpc 2024-04-25 15:43:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1899 https://access.redhat.com/errata/RHSA-2024:1899
Comment 90 errata-xmlrpc 2024-04-25 19:27:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1892 https://access.redhat.com/errata/RHSA-2024:1892
Comment 91 errata-xmlrpc 2024-04-26 20:11:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1897 https://access.redhat.com/errata/RHSA-2024:1897
Comment 92 errata-xmlrpc 2024-04-29 01:56:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2079 https://access.redhat.com/errata/RHSA-2024:2079
Comment 93 errata-xmlrpc 2024-04-29 02:27:01 UTC 
This issue has been addressed in the following products:

  Cryostat 2 on RHEL 8

Via RHSA-2024:2088 https://access.redhat.com/errata/RHSA-2024:2088
Comment 94 errata-xmlrpc 2024-04-30 14:39:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2562 https://access.redhat.com/errata/RHSA-2024:2562
Comment 97 errata-xmlrpc 2024-04-30 19:36:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:2625 https://access.redhat.com/errata/RHSA-2024:2625
Comment 100 errata-xmlrpc 2024-05-02 14:23:24 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2068 https://access.redhat.com/errata/RHSA-2024:2068
Comment 101 errata-xmlrpc 2024-05-02 16:56:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2049 https://access.redhat.com/errata/RHSA-2024:2049
Comment 102 errata-xmlrpc 2024-05-06 06:50:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2699 https://access.redhat.com/errata/RHSA-2024:2699
Comment 104 errata-xmlrpc 2024-05-07 10:38:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2724 https://access.redhat.com/errata/RHSA-2024:2724
Comment 107 errata-xmlrpc 2024-05-09 13:55:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2664 https://access.redhat.com/errata/RHSA-2024:2664
Comment 108 errata-xmlrpc 2024-05-09 14:35:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2667 https://access.redhat.com/errata/RHSA-2024:2667
Comment 109 errata-xmlrpc 2024-05-09 16:50:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2668 https://access.redhat.com/errata/RHSA-2024:2668
Comment 110 errata-xmlrpc 2024-05-09 17:13:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2672 https://access.redhat.com/errata/RHSA-2024:2672
Comment 111 errata-xmlrpc 2024-05-09 17:29:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2671 https://access.redhat.com/errata/RHSA-2024:2671
Comment 113 errata-xmlrpc 2024-05-15 18:44:03 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2773 https://access.redhat.com/errata/RHSA-2024:2773
Comment 114 errata-xmlrpc 2024-05-16 18:09:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:2782 https://access.redhat.com/errata/RHSA-2024:2782
Comment 120 errata-xmlrpc 2024-05-21 05:01:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2936 https://access.redhat.com/errata/RHSA-2024:2936
Comment 121 errata-xmlrpc 2024-05-21 05:14:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:2935 https://access.redhat.com/errata/RHSA-2024:2935
Comment 122 errata-xmlrpc 2024-05-21 09:37:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2865 https://access.redhat.com/errata/RHSA-2024:2865
Comment 123 errata-xmlrpc 2024-05-21 09:58:58 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:2941 https://access.redhat.com/errata/RHSA-2024:2941
Note You need to log in before you can comment on or make changes to this bug.