Bugzilla – Bug 1216109
VUL-0: CVE-2023-39325: go1.20,go1.21: net/http: rapid stream resets can cause excessive work
Last modified: 2024-05-07 07:57:54 UTC
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit. New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 v0.17.0, for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. This is CVE-2023-39325 and Go issue https://go.dev/issue/63417. This is also tracked by CVE-2023-44487.
This is an autogenerated message for OBS integration: This bug (1216109) was mentioned in https://build.opensuse.org/request/show/1116742 Factory / go1.20 https://build.opensuse.org/request/show/1116743 Factory / go1.21
See bsc#1216123 for general details about the "HTTP/2 Rapid Reset Attack".
SUSE-SU-2023:4069-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1212475, 1216109 CVE References: CVE-2023-39325, CVE-2023-44487 Sources used: openSUSE Leap 15.5 (src): go1.21-1.21.3-150000.1.12.1 Development Tools Module 15-SP4 (src): go1.21-1.21.3-150000.1.12.1 Development Tools Module 15-SP5 (src): go1.21-1.21.3-150000.1.12.1 openSUSE Leap 15.4 (src): go1.21-1.21.3-150000.1.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4068-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1206346, 1216109 CVE References: CVE-2023-39325, CVE-2023-44487 Sources used: openSUSE Leap 15.4 (src): go1.20-1.20.10-150000.1.29.1 openSUSE Leap 15.5 (src): go1.20-1.20.10-150000.1.29.1 Development Tools Module 15-SP4 (src): go1.20-1.20.10-150000.1.29.1 Development Tools Module 15-SP5 (src): go1.20-1.20.10-150000.1.29.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
This is an autogenerated message for OBS integration: This bug (1216109) was mentioned in https://build.opensuse.org/request/show/1121461 Backports:SLE-12 / go1.21
openSUSE-SU-2023:0360-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 1212475,1212667,1212669,1215084,1215085,1215086,1215087,1215090,1215985,1216109 CVE References: CVE-2023-39318,CVE-2023-39319,CVE-2023-39320,CVE-2023-39321,CVE-2023-39322,CVE-2023-39323,CVE-2023-39325,CVE-2023-44487 JIRA References: Sources used: SUSE Package Hub for SUSE Linux Enterprise 12 (src): go-1.21-41.1, go1.21-1.21.3-2.1
SUSE-SU-2023:4472-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1206346, 1215985, 1216109, 1216943, 1216944 CVE References: CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284 Sources used: openSUSE Leap 15.4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 openSUSE Leap 15.5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 Development Tools Module 15-SP4 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 Development Tools Module 15-SP5 (src): go1.20-openssl-1.20.11.1-150000.1.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4469-1: An update that solves 10 vulnerabilities, contains one feature and has two security fixes can now be installed. Category: security (moderate) Bug References: 1212475, 1212667, 1212669, 1215084, 1215085, 1215086, 1215087, 1215090, 1215985, 1216109, 1216943, 1216944 CVE References: CVE-2023-39318, CVE-2023-39319, CVE-2023-39320, CVE-2023-39321, CVE-2023-39322, CVE-2023-39323, CVE-2023-39325, CVE-2023-44487, CVE-2023-45283, CVE-2023-45284 Jira References: SLE-18320 Sources used: openSUSE Leap 15.4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 openSUSE Leap 15.5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 Development Tools Module 15-SP4 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 Development Tools Module 15-SP5 (src): go1.21-openssl-1.21.4.1-150000.1.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.