CVE-2023-45288
Denial of Service vulnerability in stdlib (Go)
What is CVE-2023-45288 About?
This vulnerability allows an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data. It can lead to resource exhaustion or processing overhead, resulting in a Denial of Service. The exploit leverages HTTP/2 specific frames and is moderately complex to craft.
Affected Software
- stdlib
- <1.21.9
- golang.org/x/net
- <0.23.0
- net/http
- <1.21.9
- >1.22.0-0, <1.22.2
- golang.org/x/net/http2
- <0.23.0
Technical Details
The vulnerability stems from the HTTP/2 protocol's handling of HEADERS and CONTINUATION frames, specifically in how HPACK state is maintained and parsed. An attacker sends an excessive number of CONTINUATION frames. Even when a request's headers exceed MaxHeaderBytes, the system still parses the excess headers, although no memory is allocated for storage. This allows attackers to force the server to parse an arbitrary amount of data, including Huffman-encoded data, which is computationally expensive for the server to decode compared to the effort for the attacker to send. The attack vector involves sending specially crafted HTTP/2 requests with numerous CONTINUATION frames.
What is the Impact of CVE-2023-45288?
Successful exploitation may allow attackers to consume excessive CPU resources, degrade server performance, and cause a Denial of Service for legitimate users.
What is the Exploitability of CVE-2023-45288?
Exploitation involves sending carefully constructed HTTP/2 requests with an excessive number of CONTINUATION frames. This requires a moderate understanding of HTTP/2 protocol specifics. No authentication is required, as the attack targets the parsing of initial request headers. No specific privileges are needed, and the attack is remote. The main constraint is the ability to send raw HTTP/2 frames. The risk is increased if the endpoint is publicly exposed and handles a large volume of HTTP/2 traffic.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| hex0punk | Link | PoC for CVE-2023-45288, continuation flood vulnerability |
What are the Available Fixes for CVE-2023-45288?
About the Fix from Resolved Security
The patch prevents excessive memory usage by discarding oversized header fragments early and terminating the connection if an attacker sends unusually large or continued header frames after the maximum header size or after an invalid header is detected. This directly addresses CVE-2023-45288, which is a header parsing denial-of-service vulnerability where a malicious client could cause resource exhaustion by flooding the server with CONTINUATION frames, bypassing header limits.
Available Upgrade Options
- golang.org/x/net
- <0.23.0 → Upgrade to 0.23.0
- net/http
- <1.21.9 → Upgrade to 1.21.9
- net/http
- >1.22.0-0, <1.22.2 → Upgrade to 1.22.2
- stdlib
- <1.21.9 → Upgrade to 1.21.9
- golang.org/x/net/http2
- <0.23.0 → Upgrade to 0.23.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nowotarski.info/http2-continuation-flood-technical-details
- http://www.openwall.com/lists/oss-security/2024/04/03/16
- http://www.openwall.com/lists/oss-security/2024/04/05/4
- https://pkg.go.dev/vuln/GO-2024-2687
- https://security.netapp.com/advisory/ntap-20240419-0009
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRYFHIQ6XRKRYBI2F5UESH67BJBQXUPT
- https://go.dev/issue/65051
- https://groups.google.com/g/golang-announce/c/YgW0sx8mN3M
- https://go.dev/cl/576155
- https://nvd.nist.gov/vuln/detail/CVE-2023-45288
What are Similar Vulnerabilities to CVE-2023-45288?
Similar Vulnerabilities: CVE-2020-1934 , CVE-2016-1000109 , CVE-2021-33190 , CVE-2021-21356 , CVE-2020-13935
