CVE-2023-39325

11.10.2023, 22:15

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Go	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 36%

Vendor	Product	Version
golang	go	1.20.0 ≤ 𝑥 < 1.20.10
golang	go	1.21.0 ≤ 𝑥 < 1.21.3
golang	http2	𝑥 < 0.17.0
netapp	astra_trident	-
netapp	astra_trident_autosupport	-

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

golang-1.15

bullseye	vulnerable
bookworm	no-dsa
buster	postponed

golang-1.19

bookworm	vulnerable
bullseye	no-dsa
buster	postponed

Ubuntu Releases

Ubuntu Product

Codename

golang

oracular	dne
noble	dne
mantic	dne
lunar	dne
jammy	dne
focal	dne
bionic	dne
xenial	dne
trusty	dne

golang-1.10

oracular	dne
noble	dne
mantic	dne
lunar	dne
jammy	dne
focal	dne
bionic	needs-triage
xenial	needs-triage
trusty	ignored

golang-1.13

oracular	dne
noble	dne
mantic	dne
lunar	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	dne

golang-1.14

oracular	dne
noble	dne
mantic	dne
lunar	dne
jammy	dne
focal	needs-triage
bionic	dne
xenial	dne
trusty	dne

golang-1.16

oracular	dne
noble	dne
mantic	dne
lunar	dne
jammy	dne
focal	needs-triage
bionic	needs-triage
xenial	dne
trusty	dne

golang-1.17

oracular	dne
noble	dne
mantic	dne
lunar	dne
jammy	Fixed 1.17.13-3ubuntu1.2 released
focal	dne
bionic	dne
xenial	dne
trusty	dne

golang-1.18

oracular	dne
noble	dne
mantic	dne
lunar	dne
jammy	Fixed 1.18.1-1ubuntu1.2 released
focal	Fixed 1.18.1-1ubuntu1~20.04.3 released
bionic	Fixed 1.18.1-1ubuntu1~18.04.4+esm1 released
xenial	Fixed 1.18.1-1ubuntu1~16.04.6+esm1 released
trusty	dne

golang-1.19

oracular	dne
noble	dne
mantic	dne
lunar	ignored
jammy	dne
focal	dne
bionic	ignored
xenial	ignored
trusty	ignored

golang-1.20

oracular	dne
noble	dne
mantic	Fixed 1.20.8-1ubuntu0.23.10.1 released
lunar	Fixed 1.20.3-1ubuntu0.2 released
jammy	Fixed 1.20.3-1ubuntu0.1~22.04.1 released
focal	Fixed 1.20.3-1ubuntu0.1~20.04.1 released
bionic	ignored
xenial	ignored
trusty	ignored

golang-1.21

oracular	dne
noble	not-affected
mantic	Fixed 1.21.1-1ubuntu0.23.10.1 released
lunar	Fixed 1.21.1-1~ubuntu23.04.2 released
jammy	Fixed 1.21.1-1~ubuntu22.04.2 released
focal	Fixed 1.21.1-1~ubuntu20.04.2 released
bionic	ignored
xenial	ignored
trusty	ignored