BIT-golang-2022-41723
Denial of Service (DoS) vulnerability in stdlib (Go)
What is BIT-golang-2022-41723 About?
This a Denial of Service vulnerability related to excessive CPU consumption in the HPACK decoder for HTTP/2. A small number of maliciously crafted HTTP/2 streams can effectively trigger resource exhaustion, leading to a denial of service. Exploitation is relatively easy requiring only specially crafted HTTP/2 requests.
Affected Software
- stdlib
- <1.19.6
- golang.org/x/net
- <0.7.0
Technical Details
The vulnerability lies within the HPACK decoder, which is used for header compression in HTTP/2. A maliciously crafted HTTP/2 stream can exploit inefficiencies or specific edge cases in the HPACK decompression algorithm. This could involve, for example, sending a sequence of headers that, when decompressed, lead to disproportionately high computational cost, or cause excessive memory allocations that are then processed inefficiently. Specifically, a small number of seemingly innocuous requests can trigger complex and CPU-intensive operations during header table lookups or updates within the HPACK decoder. This sustained, high CPU consumption starves the server of resources, rendering it unable to process legitimate requests and leading to a denial of service.
What is the Impact of BIT-golang-2022-41723?
Successful exploitation may allow attackers to exhaust server CPU resources, leading to a denial of service for legitimate users.
What is the Exploitability of BIT-golang-2022-41723?
Exploitation of this vulnerability is relatively easy, as it only requires sending a small number of maliciously crafted HTTP/2 requests. No authentication is typically required for initiating HTTP/2 connections. No special privileges are needed for the attacker. The attack is remote, as the malicious HTTP/2 stream can be sent over the network. The primary condition is that the target server must support HTTP/2 and utilize the vulnerable HPACK decoder. Risk factors that increase exploitation likelihood include publicly exposed HTTP/2 endpoints and lack of effective rate limiting or anomaly detection for HTTP/2 traffic.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-golang-2022-41723?
About the Fix from Resolved Security
This patch fixes improper timing of Huffman decoding in the HPACK parser by deferring the actual decoding until after input data boundaries and validation checks, preventing potential buffer over-reads and use-after-free. By ensuring that string data is not decoded until its validity is confirmed, the patch addresses the root cause of CVE-2022-41723, which allowed attackers to exploit memory safety vulnerabilities in Go’s HTTP/2 HPACK decoder.
Available Upgrade Options
- golang.org/x/net
- <0.7.0 → Upgrade to 0.7.0
- stdlib
- <1.19.6 → Upgrade to 1.19.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-41723
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
- https://go.dev/cl/468295
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RGW7GE2Z32ZT47UFAQFDRQE33B7Q7LMT
- https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC
- https://vuln.go.dev/ID/GO-2023-1571.json
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX3IMUTZKRQ73PBZM4E2JP4BKYH4C6XE
- https://pkg.go.dev/vuln/GO-2023-1571
- https://go.dev/cl/468135
What are Similar Vulnerabilities to BIT-golang-2022-41723?
Similar Vulnerabilities: CVE-2019-9512 , CVE-2019-9514 , CVE-2019-9515 , CVE-2021-33194 , CVE-2023-44487
