Skip to content

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106

Closed
Closed
x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487#2106
Assignees
jba
Labels
excluded: NOT_GO_CODEThis vulnerability does not refer to a Go module.
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Oct 10, 2023

CVE-2023-44487 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/envoyproxy/envoy
      vulnerable_at: 1.27.0
      packages:
        - package: n/a
cves:
    - CVE-2023-44487
references:
    - web: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
    - web: https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
    - web: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
    - web: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
    - web: https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
    - web: https://news.ycombinator.com/item?id=37831062
    - web: https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
    - web: https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
    - fix: https://github.com/envoyproxy/envoy/pull/30055
    - report: https://github.com/haproxy/haproxy/issues/2312
    - report: https://github.com/eclipse/jetty.project/issues/10679
    - web: https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
    - fix: https://github.com/nghttp2/nghttp2/pull/1961
    - fix: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
    - report: https://github.com/alibaba/tengine/issues/1872
    - report: https://github.com/hyperium/hyper/issues/3337
    - web: https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
    - web: https://news.ycombinator.com/item?id=37830987
    - web: https://news.ycombinator.com/item?id=37830998
    - web: https://chaos.social/@icing/111210915918780532
    - report: https://github.com/caddyserver/caddy/issues/5877
    - web: https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
    - web: https://github.com/bcdannyboy/CVE-2023-44487

Metadata

Metadata

Assignees

Labels

excluded: NOT_GO_CODEThis vulnerability does not refer to a Go module.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions