CVE-2023-39325

EUVD-2023-2635

11.10.2023, 22:15

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 35%

Affected Products (NVD)

Vendor	Product	Version
golang	go	1.20.0 ≤ 𝑥 < 1.20.10
golang	go	1.21.0 ≤ 𝑥 < 1.21.3
golang	http2	𝑥 < 0.17.0
netapp	astra_trident	-
netapp	astra_trident_autosupport	-

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

golang-1.15

bookworm	no-dsa
bullseye	vulnerable
buster	postponed

golang-1.19

bookworm	vulnerable
bullseye	no-dsa
buster	postponed

Ubuntu Releases

Ubuntu Product

Codename

golang

bionic	dne
focal	dne
jammy	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

golang-1.10

bionic	needs-triage
focal	dne
jammy	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	ignored
xenial	needs-triage

golang-1.13

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	needs-triage

golang-1.14

bionic	dne
focal	needs-triage
jammy	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

golang-1.16

bionic	needs-triage
focal	needs-triage
jammy	dne
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

golang-1.17

bionic	dne
focal	dne
jammy	Fixed 1.17.13-3ubuntu1.2 released
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	dne

golang-1.18

bionic	Fixed 1.18.1-1ubuntu1~18.04.4+esm1 released
focal	Fixed 1.18.1-1ubuntu1~20.04.3 released
jammy	Fixed 1.18.1-1ubuntu1.2 released
lunar	dne
mantic	dne
noble	dne
oracular	dne
trusty	dne
xenial	Fixed 1.18.1-1ubuntu1~16.04.6+esm1 released

golang-1.19

bionic	ignored
focal	dne
jammy	dne
lunar	ignored
mantic	dne
noble	dne
oracular	dne
trusty	ignored
xenial	ignored

golang-1.20

bionic	ignored
focal	Fixed 1.20.3-1ubuntu0.1~20.04.1 released
jammy	Fixed 1.20.3-1ubuntu0.1~22.04.1 released
lunar	Fixed 1.20.3-1ubuntu0.2 released
mantic	Fixed 1.20.8-1ubuntu0.23.10.1 released
noble	dne
oracular	dne
trusty	ignored
xenial	ignored

golang-1.21

bionic	ignored
focal	Fixed 1.21.1-1~ubuntu20.04.2 released
jammy	Fixed 1.21.1-1~ubuntu22.04.2 released
lunar	Fixed 1.21.1-1~ubuntu23.04.2 released
mantic	Fixed 1.21.1-1ubuntu0.23.10.1 released
noble	not-affected
oracular	dne
trusty	ignored
xenial	ignored