Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2023-07013

Опубликовано: 06 окт. 2023
Источник: fstec
CVSS3: 7.5
CVSS2: 7.8
EPSS Низкий

Описание

Уязвимость пакета http2 языка программирования Go связана с неконтролируемым расходом ресурсов сервера в результате сброса параметра Server.MaxConcurrentStreams при обработке потока запросов. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании

Вендор

Red Hat Inc.
ООО «Ред Софт»
The Go Project

Наименование ПО

Red Hat Enterprise Linux
Red Hat Storage
Red Hat Quay
РЕД ОС
Red Hat Advanced Cluster Management for Kubernetes
Red Hat OpenShift Container Platform
Red Hat Satellite
Red Hat OpenStack Platform
Red Hat OpenShift Data Science (RHODS)
Go
Red Hat Ansible Automation Platform

Версия ПО

7 (Red Hat Enterprise Linux)
8 (Red Hat Enterprise Linux)
3 (Red Hat Storage)
3 (Red Hat Quay)
7.3 (РЕД ОС)
2 (Red Hat Advanced Cluster Management for Kubernetes)
4 (Red Hat OpenShift Container Platform)
6 (Red Hat Satellite)
9 (Red Hat Enterprise Linux)
16.2 (Red Hat OpenStack Platform)
8.6 Extended Update Support (Red Hat Enterprise Linux)
9.0 Extended Update Support (Red Hat Enterprise Linux)
- (Red Hat OpenShift Data Science (RHODS))
4.13 (Red Hat OpenShift Container Platform)
4.11 (Red Hat OpenShift Container Platform)
8.4 Telecommunications Update Service (Red Hat Enterprise Linux)
8.4 Update Services for SAP Solutions (Red Hat Enterprise Linux)
8.4 Advanced Mission Critical Update Support (Red Hat Enterprise Linux)
4.12 (Red Hat OpenShift Container Platform)
6.11 for RHEL 7 (Red Hat Satellite)
6.11 for RHEL 8 (Red Hat Satellite)
6.13 for RHEL 8 (Red Hat Satellite)
17.1 (Red Hat OpenStack Platform)
до 0.17.0 (Go)
2.2 (Red Hat Ansible Automation Platform)
2.3 (Red Hat Ansible Automation Platform)
2.4 (Red Hat Ansible Automation Platform)
от 1.21.0 до 1.21.3 (Go)
от 1.20.0 до 1.20.10 (Go)

Тип ПО

Операционная система
Прикладное ПО информационных систем
Сетевое средство
ПО программно-аппаратного средства
Сетевое программное средство

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 7
Red Hat Inc. Red Hat Enterprise Linux 8
ООО «Ред Софт» РЕД ОС 7.3
Red Hat Inc. Red Hat Enterprise Linux 9
Red Hat Inc. Red Hat Enterprise Linux 8.6 Extended Update Support
Red Hat Inc. Red Hat Enterprise Linux 9.0 Extended Update Support
Red Hat Inc. Red Hat Enterprise Linux 8.4 Telecommunications Update Service
Red Hat Inc. Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
Red Hat Inc. Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 7,8)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 7,5)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для Go:
https://github.com/golang/go/issues/63426
https://github.com/golang/go/issues/63417
https://pkg.go.dev/golang.org/x/net@v0.17.0/http2?tab=versions
https://github.com/golang/go/tags
https://go-review.googlesource.com/c/go/+/534235
https://go-review.googlesource.com/c/net/+/534215
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2023-39325
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 37%
0.0015
Низкий

7.5 High

CVSS3

7.8 High

CVSS2

Связанные уязвимости

redos логотип

ROS-20240329-10

CVSS3: 9.8
redos
около 1 года назад

Множественные уязвимости cri-o

redos логотип

ROS-20240826-01

CVSS3: 7.5
redos
10 месяцев назад

Множественные уязвимости packer

ubuntu логотип

CVE-2023-39325

CVSS3: 7.5
ubuntu
больше 1 года назад

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; s...

redhat логотип

CVE-2023-39325

CVSS3: 7.5
redhat
больше 1 года назад

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; s...

nvd логотип

CVE-2023-39325

CVSS3: 7.5
nvd
больше 1 года назад

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see

EPSS

Процентиль: 37%
0.0015
Низкий

7.5 High

CVSS3

7.8 High

CVSS2