Bug 1216109 (CVE-2023-39325)

Summary: VUL-0: CVE-2023-39325: go1.20,go1.21: net/http: rapid stream resets can cause excessive work
Product: [Novell Products] SUSE Security Incidents Reporter: Jeff Kowalczyk <jkowalczyk>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/381392/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-39325:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1216123    

Description Jeff Kowalczyk 2023-10-10 19:14:58 UTC 
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.

HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.

This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2.

The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487.
Comment 2 OBSbugzilla Bot 2023-10-10 22:33:46 UTC 
This is an autogenerated message for OBS integration:
This bug (1216109) was mentioned in
https://build.opensuse.org/request/show/1116742 Factory / go1.20
https://build.opensuse.org/request/show/1116743 Factory / go1.21
Comment 4 Alexander Bergmann 2023-10-11 09:26:07 UTC 
See bsc#1216123 for general details about the "HTTP/2 Rapid Reset Attack".
Comment 5 Maintenance Automation 2023-10-13 12:30:19 UTC 
SUSE-SU-2023:4069-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1212475, 1216109
CVE References: CVE-2023-39325, CVE-2023-44487
Sources used:
openSUSE Leap 15.5 (src): go1.21-1.21.3-150000.1.12.1
Development Tools Module 15-SP4 (src): go1.21-1.21.3-150000.1.12.1
Development Tools Module 15-SP5 (src): go1.21-1.21.3-150000.1.12.1
openSUSE Leap 15.4 (src): go1.21-1.21.3-150000.1.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Maintenance Automation 2023-10-13 12:30:22 UTC 
SUSE-SU-2023:4068-1: An update that solves two vulnerabilities can now be installed.

Category: security (important)
Bug References: 1206346, 1216109
CVE References: CVE-2023-39325, CVE-2023-44487
Sources used:
openSUSE Leap 15.4 (src): go1.20-1.20.10-150000.1.29.1
openSUSE Leap 15.5 (src): go1.20-1.20.10-150000.1.29.1
Development Tools Module 15-SP4 (src): go1.20-1.20.10-150000.1.29.1
Development Tools Module 15-SP5 (src): go1.20-1.20.10-150000.1.29.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 OBSbugzilla Bot 2023-10-31 15:35:25 UTC 
This is an autogenerated message for OBS integration:
This bug (1216109) was mentioned in
https://build.opensuse.org/request/show/1121461 Backports:SLE-12 / go1.21
Comment 10 Marcus Meissner 2023-11-09 14:05:24 UTC 
openSUSE-SU-2023:0360-1: An update that solves 8 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109
CVE References: CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    go-1.21-41.1, go1.21-1.21.3-2.1
Comment 12 Maintenance Automation 2023-11-16 20:30:01 UTC 
SUSE-SU-2023:4472-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1206346, 1215985, 1216109, 1216943, 1216944
CVE References: CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284
Sources used:
openSUSE Leap 15.4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1
openSUSE Leap 15.5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1
Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1
Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-11-16 20:30:11 UTC 
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944
CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284
Jira References: SLE-18320
Sources used:
openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1
Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Thomas Leroy 2024-05-07 07:57:54 UTC 
All done, closing.