Bugzilla – Bug 1221400
VUL-0: CVE-2023-45288: go1.21,go1.22: net/http, x/net/http2: close connections when receiving too many headers
Last modified: 2024-06-24 11:00:09 UTC
via VINCE CVE: CVE-2023-45288 ID: VU#421644.3 Case: VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks Date Added: 2024-02-19 Description: The Go packages net/http and golang.org/x/net/http2 packages do not limit the number of CONTINUATION frames read for an HTTP/2 request, which permits an attacker to provide an arbitrarily large set of headers for a single request, that will be read, decoded, and subsequently discarded, which may result in excessive CPU consumption.
CRD: 2024-03-28
net/http is part of the Go package itself so a rebuild with a fixed version should fix all the dependencies. However, golang.org/x/net/http2 is a module embedded in many different places. I would wait for the Go security team advisory before opening another TRACKERBUG.
CRD: 2024-04-04 there are draft patches in the VINCE issue, but I would say we pick up the go stable release that likely will happen soon after CRD.
Upstream CVE announcement 2024-04-03: http2: close connections when receiving too many headers Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. Set a limit on the amount of excess header frames we will process before closing a connection. Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue. This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.
This is an autogenerated message for OBS integration: This bug (1221400) was mentioned in https://build.opensuse.org/request/show/1164437 Factory / go1.21 https://build.opensuse.org/request/show/1164438 Factory / go1.22
is public
https://kb.cert.org/vuls/id/421644 cert note
SUSE-SU-2024:1121-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1218424, 1221400 CVE References: CVE-2023-45288 Maintenance Incident: [SUSE:Maintenance:33201](https://smelt.suse.de/incident/33201/) Sources used: openSUSE Leap 15.5 (src): go1.22-1.22.2-150000.1.12.1 Development Tools Module 15-SP5 (src): go1.22-1.22.2-150000.1.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1122-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1212475, 1221400 CVE References: CVE-2023-45288 Maintenance Incident: [SUSE:Maintenance:33202](https://smelt.suse.de/incident/33202/) Sources used: openSUSE Leap 15.5 (src): go1.21-1.21.9-150000.1.30.1 Development Tools Module 15-SP5 (src): go1.21-1.21.9-150000.1.30.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): go1.21-1.21.9-150000.1.30.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): go1.21-1.21.9-150000.1.30.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): go1.21-1.21.9-150000.1.30.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): go1.21-1.21.9-150000.1.30.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): go1.21-1.21.9-150000.1.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1161-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1212475, 1221400 CVE References: CVE-2023-45288 Maintenance Incident: [SUSE:Maintenance:33204](https://smelt.suse.de/incident/33204/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): go1.21-1.21.9-1.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1160-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1218424, 1221400 CVE References: CVE-2023-45288 Maintenance Incident: [SUSE:Maintenance:33200](https://smelt.suse.de/incident/33200/) Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): go1.22-1.22.2-1.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:2108-1: An update that solves one vulnerability and has one security fix can now be installed. Category: security (important) Bug References: 1221400, 1224323 CVE References: CVE-2023-45288 Maintenance Incident: [SUSE:Maintenance:34007](https://smelt.suse.de/incident/34007/) Sources used: openSUSE Leap Micro 5.3 (src): containerd-1.7.17-150000.111.3 openSUSE Leap Micro 5.4 (src): containerd-1.7.17-150000.111.3 openSUSE Leap 15.5 (src): containerd-1.7.17-150000.111.3 openSUSE Leap 15.6 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro for Rancher 5.3 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro 5.3 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro for Rancher 5.4 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro 5.4 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro 5.5 (src): containerd-1.7.17-150000.111.3 Containers Module 15-SP5 (src): containerd-1.7.17-150000.111.3 Containers Module 15-SP6 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): containerd-1.7.17-150000.111.3 SUSE Enterprise Storage 7.1 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro 5.1 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro 5.2 (src): containerd-1.7.17-150000.111.3 SUSE Linux Enterprise Micro for Rancher 5.2 (src): containerd-1.7.17-150000.111.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.