Uncontrolled Resource Consumption in github.com/golang/net
CVE-2023-45288
- github.com/golang/net
- golang/net
- golang.org/x/net
- golang.org/x/net/http2
Summary
As part of a class of vulnerabilities known as "HTTP/2 CONTINUATION Flood," an attacker can exploit the HTTP/2 protocol's CONTINUATION frame handling in certain implementations to cause a Denial-of-Service (DoS) attack by forcing an HTTP/2 endpoint to process and decode arbitrary amounts of header data. Maintaining 'HPACK' state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed 'MaxHeaderBytes', no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request that is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. This affects "golang.org/x/net/http2" versions prior to 0.23.0, and "net/http" versions prior to 1.21.9, and 1.22.0-x prior to 1.22.2.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-400 - Uncontrolled resource consumption
An uncontrolled resource allocation attack (also known as resource exhaustion attack) triggers unauthorized overconsumption of the limited resources in an application, such as memory, file system storage, database connection pool entries, and CPU. This may lead to denial of service for valid users and degradation of the application's functionality as well as that of the host operating system.
References
Advisory Timeline
- Published