Go HTTP/2: HTTP/2 excessive CONTINUATION frames leading to uncontrolled resource consumption (CVE-2023-45288) #shorts

Summary

CVE-2023-45288 is a recently identified vulnerability affecting specific versions of the Go standard library's HTTP package and the Go HTTP/2 implementation. This vulnerability allows attackers to cause uncontrolled resource consumption through excessive header data processing.

Product details

The affected components include Go's standard library for HTTP in versions below 1.21.9 and between 1.22.0-0 and 1.22.2, as well as the golang.org/x/net HTTP/2 module below version 0.23.0. This issue is particularly related to the processing of CONTINUATION frames within HTTP/2 connections.

Vulnerability type summary

CVE-2023-45288 is categorized under CWE-400: Uncontrolled Resource Consumption. This type of vulnerability arises when a system does not sufficiently limit the resources allocated to data processing, allowing an attacker to deplete system resources through a carefully crafted data overload attack.

Details of the vulnerability

The vulnerability in CVE-2023-45288 can be exploited by an attacker sending an excessive number of CONTINUATION frames to an HTTP/2 endpoint. Although these frames' headers exceed the MaxHeaderBytes limit and won't be stored, they still need parsing and processing, forcing the system to use significant resources. The potential attacker burden is minimal compared to the resource expense forced upon the target, due to the cost of Huffman-encoded data processing. The fix imposes a limit on the number of header frames processed before rejecting the connection.

Conclusion

Users utilizing affected versions of the Go HTTP library and HTTP/2 implementation should upgrade to the latest available versions to mitigate the risks posed by CVE-2023-45288. It's a critical step to safeguard systems against resource exhaustion attacks and ensure robust and secure system operation.

Watch the full video on YouTube: CVE-2023-45288

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2023-45288
Description
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Provider
Go
CWE / problem types
CWE-400: Uncontrolled Resource Consumption
Affected Software Versions
Go standard library:net/http:[{'version': '0', 'lessThan': '1.21.9', 'status': 'affected', 'versionType': 'semver'}, {'version': '1.22.0-0', 'lessThan': '1.22.2', 'status': 'affected', 'versionType': 'semver'}],golang.org/x/net:golang.org/x/net/http2:[{'version': '0', 'lessThan': '0.23.0', 'status': 'affected', 'versionType': 'semver'}]
Date Published
2024-04-04T20:37:30.714Z
Last Updated
2025-02-13T17:14:01.156Z