SUSE-SU-2024:1161-1 Security update for go1.21

This update for go1.21 fixes the following issues: - CVE-2023-45288: Fixed denial of service via HTTP/2 continuation frames bsc1221400 Other changes: - go minor release upgrade to 1.21.9 bsc1212475...

SUSE-SU-2024:1160-1 Security update for go1.22

This update for go1.22 fixes the following issues: - CVE-2023-45288: Fixed denial of service via HTTP/2 continuation frames bsc1221400 Other changes: - go minor release upgrade to 1.22.2 bsc1218424...

SUSE-SU-2024:1156-1 Security update for nghttp2

This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames bsc1221399...

Denial Of Service (DoS)

Envoy is vulnerable to Denial of Service DoS. The vulnerability is due to allowing an unlimited number of CONTINUATION frames to be sent by the peer, even after exceeding Envoy's header map limits. Attackers can exploit this by sending a sequence of CONTINUATION frames without the ENDHEADERS bit...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.22 (SUSE-SU-2024:1121-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1121-1 advisory. - CVE-2023-45288: Fixed denial of service via HTTP/2 continuation frames bsc1221400 Tenable has extracted...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.21 (SUSE-SU-2024:1122-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1122-1 advisory. - CVE-2023-45288: Fixed denial of service via HTTP/2 continuation frames bsc1221400 Tenable has extracted...

BIT-GOLANG-2023-45288 HTTP/2 CONTINUATION flood in net/http

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

The vulnerability of the net/http and net/http2 libraries in the Go programming language is related to an uncontrolled resource consumption, allowing attackers to cause service failures.

The vulnerability of the net/http and net/http2 libraries in the Go programming language related to the implementation of the HTTP/2 protocol is related to an uncontrolled resource consumption due to incorrect determination of the end of headers during the processing of CONTINUATION frames...

The vulnerability of the nghttp2 library, related to unlimited resource distribution, allows attackers to cause service failures.

The vulnerability of the nghttp2 library in terms of the implementation of the HTTP/2 protocol is related to an uncontrolled resource consumption due to incorrect determination of the end of headers during the processing of CONTINUATION frames. Exploiting this vulnerability could allow a remote...

The vulnerability of the amphp/http library and the amphp/http-client HTTP client allows a attacker to induce a service failure.

The vulnerability of the amphp/http library and the amphp/http-client HTTP client in terms of implementing the HTTP/2 protocol is related to uncontrolled memory allocation due to improper restrictions on the size of field blocks during the processing of CONTINUATION frames. Exploiting this...

The vulnerability of Tempesta web applications’ firewalls, related to unlimited resource distribution, allows attackers to cause service interruptions.

The vulnerability of Tempesta web applications’ firewalls, particularly in terms of implementing HTTP/2 protocols, is related to an uncontrolled resource consumption due to incorrect determination of the end of headers during the processing of CONTINUATION frames. Exploiting this vulnerability...

The vulnerability of the Apache Traffic Server web server, related to uncontrolled resource consumption, allows attackers to cause service interruptions.

The vulnerability of the Apache Traffic Server web server in terms of the implementation of the HTTP/2 protocol is related to an uncontrolled resource consumption due to incorrect determination of the end of headers during the processing of CONTINUATION frames. Exploiting this vulnerability can...

The vulnerability of the `node::http2::Http2Session::~Http2Session()` function in HTTP/2 server software for Node.js allows attackers to cause service failures.

The vulnerability of the node::http2::Http2Session::Http2Session function in HTTP/2 server-side software for Node.js is related to an uncontrolled resource consumption due to incorrect handling of header termination when processing CONTINUATION frames. Exploiting this vulnerability can allow a...

SUSE-SU-2024:1121-1 Security update for go1.22

This update for go1.22 fixes the following issues: - CVE-2023-45288: Fixed denial of service via HTTP/2 continuation frames bsc1221400 Other changes: - go minor release upgrade to 1.22.2 bsc1218424...

Denial Of Service (DoS)

github.com/nghttp2/nghttp2/ is vulnerable to Denial of Service DoS. The vulnerability is due a lack of frame count restrictions, which can result in nghttp2 reading an unbounded number of HTTP/2 CONTINUATION frames even after the stream is reset to keep HPACK context in sync. An attacker can...

SUSE CVE-2023-45288

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

SUSE CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

SUSE CVE-2024-28182

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK...

net/http, x/net/http2: close connections when receiving too many headers

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...

AZL-38338 CVE-2023-45288 affecting package docker-cli for versions less than 25.0.7-1

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no...