Bug 1221400 (CVE-2023-45288) - VUL-0: CVE-2023-45288: go1.21,go1.22: net/http, x/net/http2: close connections when receiving too many headers
Summary: VUL-0: CVE-2023-45288: go1.21,go1.22: net/http, x/net/http2: close connection...
Status: IN_PROGRESS
Alias: CVE-2023-45288
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Jeff Kowalczyk
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/397669/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-45288:7.5:(AV:...
Keywords:
Depends on:
Blocks: 1221404
  Show dependency treegraph
 
Reported: 2024-03-14 12:45 UTC by SMASH SMASH
Modified: 2024-06-24 11:00 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-14 12:45:09 UTC
via VINCE

 CVE: CVE-2023-45288
ID: VU#421644.3
Case: VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Date Added: 2024-02-19
Description: The Go packages net/http and golang.org/x/net/http2 packages do not limit the number of CONTINUATION frames read for an HTTP/2 request, which permits an attacker to provide an arbitrarily large set of headers for a single request, that will be read, decoded, and subsequently discarded, which may result in excessive CPU consumption.
Comment 1 Marcus Meissner 2024-03-14 12:51:44 UTC
CRD: 2024-03-28
Comment 4 Thomas Leroy 2024-03-18 14:27:46 UTC
net/http is part of the Go package itself so a rebuild with a fixed version should fix all the dependencies.
However, golang.org/x/net/http2 is a module embedded in many different places.
I would wait for the Go security team advisory before opening another TRACKERBUG.
Comment 5 Marcus Meissner 2024-03-26 12:41:28 UTC
CRD: 2024-04-04

there are draft patches in the VINCE issue, but I would say we pick up the go stable release that likely will happen soon after CRD.
Comment 6 Jeff Kowalczyk 2024-04-03 17:56:31 UTC
Upstream CVE announcement 2024-04-03:

http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.

Set a limit on the amount of excess header frames we will process before closing a connection.

Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue.

This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.
Comment 7 OBSbugzilla Bot 2024-04-03 19:25:03 UTC
This is an autogenerated message for OBS integration:
This bug (1221400) was mentioned in
https://build.opensuse.org/request/show/1164437 Factory / go1.21
https://build.opensuse.org/request/show/1164438 Factory / go1.22
Comment 11 Marcus Meissner 2024-04-04 07:09:09 UTC
is public
Comment 12 Marcus Meissner 2024-04-04 07:11:19 UTC
https://kb.cert.org/vuls/id/421644  cert note
Comment 13 Maintenance Automation 2024-04-05 16:30:02 UTC
SUSE-SU-2024:1121-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1218424, 1221400
CVE References: CVE-2023-45288
Maintenance Incident: [SUSE:Maintenance:33201](https://smelt.suse.de/incident/33201/)
Sources used:
openSUSE Leap 15.5 (src):
 go1.22-1.22.2-150000.1.12.1
Development Tools Module 15-SP5 (src):
 go1.22-1.22.2-150000.1.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2024-04-05 20:30:02 UTC
SUSE-SU-2024:1122-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1221400
CVE References: CVE-2023-45288
Maintenance Incident: [SUSE:Maintenance:33202](https://smelt.suse.de/incident/33202/)
Sources used:
openSUSE Leap 15.5 (src):
 go1.21-1.21.9-150000.1.30.1
Development Tools Module 15-SP5 (src):
 go1.21-1.21.9-150000.1.30.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 go1.21-1.21.9-150000.1.30.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 go1.21-1.21.9-150000.1.30.1
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 go1.21-1.21.9-150000.1.30.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 go1.21-1.21.9-150000.1.30.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 go1.21-1.21.9-150000.1.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Maintenance Automation 2024-04-08 12:30:05 UTC
SUSE-SU-2024:1161-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1212475, 1221400
CVE References: CVE-2023-45288
Maintenance Incident: [SUSE:Maintenance:33204](https://smelt.suse.de/incident/33204/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 go1.21-1.21.9-1.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Maintenance Automation 2024-04-08 12:30:06 UTC
SUSE-SU-2024:1160-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1218424, 1221400
CVE References: CVE-2023-45288
Maintenance Incident: [SUSE:Maintenance:33200](https://smelt.suse.de/incident/33200/)
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 go1.22-1.22.2-1.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Maintenance Automation 2024-06-20 20:30:07 UTC
SUSE-SU-2024:2108-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1221400, 1224323
CVE References: CVE-2023-45288
Maintenance Incident: [SUSE:Maintenance:34007](https://smelt.suse.de/incident/34007/)
Sources used:
openSUSE Leap Micro 5.3 (src):
 containerd-1.7.17-150000.111.3
openSUSE Leap Micro 5.4 (src):
 containerd-1.7.17-150000.111.3
openSUSE Leap 15.5 (src):
 containerd-1.7.17-150000.111.3
openSUSE Leap 15.6 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro 5.3 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro 5.4 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro 5.5 (src):
 containerd-1.7.17-150000.111.3
Containers Module 15-SP5 (src):
 containerd-1.7.17-150000.111.3
Containers Module 15-SP6 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 containerd-1.7.17-150000.111.3
SUSE Enterprise Storage 7.1 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro 5.1 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro 5.2 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 containerd-1.7.17-150000.111.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.