An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of
header data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS and
CONTINUATION frames on a connection. When a request’s headers exceed
MaxHeaderBytes, no memory is allocated to store the excess headers, but
they are still parsed. This permits an attacker to cause an HTTP/2 endpoint
to read arbitrary amounts of header data, all associated with a request
which is going to be rejected. These headers can include Huffman-encoded
data which is significantly more expensive for the receiver to decode than
for an attacker to send. The fix sets a limit on the amount of excess
header frames we will process before closing a connection.
Author | Note |
---|---|
sbeattie | issue in net/http and net/http2 packages |
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. Warning: do not include nullboot in the list of no-change rebuilds after fixing an issue in golang. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.10 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | golang-1.13 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.14 | < any | UNKNOWN |
ubuntu | 18.04 | noarch | golang-1.16 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | golang-1.16 | < any | UNKNOWN |
go.dev/cl/576155
groups.google.com/g/golang-announce/c/YgW0sx8mN3M
kb.cert.org/vuls/id/421644
launchpad.net/bugs/cve/CVE-2023-45288
nvd.nist.gov/vuln/detail/CVE-2023-45288
pkg.go.dev/vuln/GO-2024-2687
security-tracker.debian.org/tracker/CVE-2023-45288
ubuntu.com/security/notices/USN-6886-1
www.cve.org/CVERecord?id=CVE-2023-45288