Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-45288
HistoryMar 27, 2024 - 12:00 a.m.

CVE-2023-45288

2024-03-2700:00:00
ubuntu.com
ubuntu.com
28
http/2
hpack state
maxheaderbytes
header parsing
continuation frames
vulnerability
golang packages
memory allocation

AI Score

8.1

Confidence

High

EPSS

0

Percentile

13.2%

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of
header data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS and
CONTINUATION frames on a connection. When a request’s headers exceed
MaxHeaderBytes, no memory is allocated to store the excess headers, but
they are still parsed. This permits an attacker to cause an HTTP/2 endpoint
to read arbitrary amounts of header data, all associated with a request
which is going to be rejected. These headers can include Huffman-encoded
data which is significantly more expensive for the receiver to decode than
for an attacker to send. The fix sets a limit on the amount of excess
header frames we will process before closing a connection.

Bugs

Notes

Author Note
sbeattie issue in net/http and net/http2 packages
mdeslaur Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. Warning: do not include nullboot in the list of no-change rebuilds after fixing an issue in golang.