CVE-2023-39325
HTTP/2 rapid reset can cause excessive work in net/http
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Un cliente HTTP/2 malicioso que crea solicitudes rápidamente y las restablece inmediatamente puede provocar un consumo excesivo de recursos del servidor. Si bien el número total de solicitudes está limitado por la configuración http2.Server.MaxConcurrentStreams, restablecer una solicitud en curso permite al atacante crear una nueva solicitud mientras la existente aún se está ejecutando. Con la solución aplicada, los servidores HTTP/2 ahora vincularon el número de rutinas de controlador que se ejecutan simultáneamente al límite de concurrencia de transmisión (MaxConcurrentStreams). Las nuevas solicitudes que lleguen cuando se encuentre en el límite (lo que solo puede ocurrir después de que el cliente haya restablecido una solicitud existente en curso) se pondrán en cola hasta que salga un controlador. Si la cola de solicitudes crece demasiado, el servidor finalizará la conexión. Este problema también se solucionó en golang.org/x/net/http2 para los usuarios que configuran HTTP/2 manualmente. El límite de simultaneidad de transmisiones predeterminado es 250 transmisiones (solicitudes) por conexión HTTP/2. Este valor se puede ajustar utilizando el paquete golang.org/x/net/http2; consulte la configuración Server.MaxConcurrentStreams y la función ConfigureServer.
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.
CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-07-27 CVE Reserved
- 2023-10-11 CVE Published
- 2024-08-02 CVE Updated
- 2024-11-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (47)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://go.dev/cl/534215 | 2024-04-28 | |
| https://go.dev/cl/534235 | 2024-04-28 | |
| https://go.dev/issue/63417 | 2024-04-28 | |
| https://pkg.go.dev/vuln/GO-2023-2102 | 2024-04-28 | |
| https://access.redhat.com/security/cve/CVE-2023-39325 | 2024-09-18 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2243296 | 2024-09-18 | |
| https://access.redhat.com/security/cve/CVE-2023-44487 | 2024-09-18 | |
| https://access.redhat.com/security/vulnerabilities/RHSB-2023-003 | 2024-09-18 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.20.0 < 1.20.10 Search vendor "Golang" for product "Go" and version " >= 1.20.0 < 1.20.10" | - |
Affected
| ||||||
| Golang Search vendor "Golang" | Go Search vendor "Golang" for product "Go" | >= 1.21.0 < 1.21.3 Search vendor "Golang" for product "Go" and version " >= 1.21.0 < 1.21.3" | - |
Affected
| ||||||
| Golang Search vendor "Golang" | Http2 Search vendor "Golang" for product "Http2" | < 0.17.0 Search vendor "Golang" for product "Http2" and version " < 0.17.0" | go |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 39 Search vendor "Fedoraproject" for product "Fedora" and version "39" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Astra Trident Search vendor "Netapp" for product "Astra Trident" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Astra Trident Autosupport Search vendor "Netapp" for product "Astra Trident Autosupport" | - | - |
Affected
| ||||||