[GO-2023-2102] HTTP/2 rapid reset can cause excessive work in net/http
A malicious HTTP/2 client which rapidly creates requests and immediately resets
them can cause excessive server resource consumption. While the total number of
requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting
an in-progress request allows the attacker to create a new request while the
existing one is still executing.
With the fix applied, HTTP/2 servers now bound the number of simultaneously
executing handler goroutines to the stream concurrency limit
(MaxConcurrentStreams). New requests arriving when at the limit (which can only
happen after the client has reset an existing, in-flight request) will be queued
until a handler exits. If the request queue grows too large, the server will
terminate the connection.
This issue is also fixed in golang.org/x/net/http2 for users manually
configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests) per HTTP/2
connection. This value may be adjusted using the golang.org/x/net/http2 package;
see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Package | Affected Version |
---|---|
pkg:golang/net/http | >= 1.21.2, < 1.20.10 |
pkg:golang/net/http | >= 1.21.2, < 1.21.3 |
pkg:golang/golang.org/x/net/http2 | >= 0.16.0, < 0.17.0 |
Package | Fixed Version |
---|---|
pkg:golang/net/http | = 1.20.10 |
pkg:golang/net/http | = 1.21.3 |
pkg:golang/golang.org/x/net/http2 | = 0.17.0 |
- ID
- GO-2023-2102
- Severity
- high
- Severity from
- CVE-2023-39325
- URL
- https://pkg.go.dev/vuln/GO-2023-2102
- Published
-
2023-10-10T19:15:38
(11 months ago) - Modified
-
2024-07-17T19:54:18
(2 months ago) - Other Advisories
-
- ALAS-2023-1871
- ALAS-2024-1920
- ALAS2-2023-2313
- ALAS2-2023-2324
- ALAS2-2023-2325
- ALAS2-2023-2326
- ALAS2-2023-2339
- ALAS2-2024-2424
- ALAS2-2024-2458
- ALPINE:CVE-2023-39325
- ALSA-2023:5721
- ALSA-2023:5738
- ALSA-2023:5863
- ALSA-2023:5867
- ALSA-2023:6077
- ELSA-2023-13028
- ELSA-2023-13029
- ELSA-2023-13053
- ELSA-2023-13054
- ELSA-2023-5721
- ELSA-2023-5738
- ELSA-2023-5863
- ELSA-2023-5867
- FEDORA-2023-0d46257314
- FEDORA-2023-257f33c602
- FEDORA-2023-327346caa5
- FEDORA-2023-3a895ff65c
- FEDORA-2023-4bf641255e
- FEDORA-2023-5029b92850
- FEDORA-2023-548163deb1
- FEDORA-2023-66966ae3d0
- FEDORA-2023-6f4c5b6331
- FEDORA-2023-822aab0a5a
- FEDORA-2023-a5a5542890
- FEDORA-2023-b43faebc9f
- FEDORA-2023-b60ff8c9ec
- FEDORA-2023-b75ee820ce
- FEDORA-2023-c858d2c53b
- FEDORA-2023-d58c8eeb7c
- FEDORA-2023-e359fd31d2
- FEDORA-2023-e3e4e3f51a
- FEDORA-2023-fa2d7b25d9
- FEDORA-2023-fa2ec3d3e0
- FEDORA-2023-fe53e13b5b
- FEDORA-2024-07c811c7a5
- FEDORA-2024-0ac454dafc
- FEDORA-2024-0d4d9925a2
- FEDORA-2024-35c28f59d1
- FEDORA-2024-5d8e87ec66
- FEDORA-2024-80e062d21a
- FEDORA-2024-9cc0e0c63e
- FEDORA-2024-ae653fb07b
- FEDORA-2024-b85b97c0e9
- FEDORA-2024-c3e32c5635
- FEDORA-2024-cafa04a149
- FEDORA-2024-d652859efb
- FEDORA-2024-f99ecead66
- FEDORA-2024-fb32950d11
- FEDORA-2024-fd3545a844
- FREEBSD:7A1B2624-6A89-11EE-AF06-5404A68AD561
- GLSA-202311-09
- openSUSE-SU-2023:0360-1
- RHSA-2023:5721
- RHSA-2023:5738
- RHSA-2023:5835
- RHSA-2023:5863
- RHSA-2023:5867
- RHSA-2023:6077
- RLSA-2023:5863
- RLSA-2023:6077
- SUSE-SU-2023:4068-1
- SUSE-SU-2023:4069-1
- SUSE-SU-2023:4469-1
- SUSE-SU-2023:4472-1
- SUSE-SU-2024:3094-1
- SUSE-SU-2024:3097-1
- SUSE-SU-2024:3098-1
- USN-6574-1
Source | # ID | Name | URL |
---|---|---|---|
Security Advisory | https://github.com/advisories/GHSA-4374-p667-p6c8 |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Fixed | pkg:golang/net/http | net | http | = 1.20.10 | |||
Affected | pkg:golang/net/http | net | http | >= 1.21.2 < 1.20.10 | |||
Fixed | pkg:golang/net/http | net | http | = 1.21.3 | |||
Affected | pkg:golang/net/http | net | http | >= 1.21.2 < 1.21.3 | |||
Fixed | pkg:golang/golang.org/x/net/http2 | golang.org/x/net | http2 | = 0.17.0 | |||
Affected | pkg:golang/golang.org/x/net/http2 | golang.org/x/net | http2 | >= 0.16.0 < 0.17.0 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |