x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106

GoVulnBot · 2023-10-10T16:01:24Z

CVE-2023-44487 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

References:

Cross references:

Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43824 #330 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43825 #331 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43826 #332 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21654 #333 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21655 #334 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656 #335 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21657 #336 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-23606 #337 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29224 #484 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29225 #485 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29226 #486 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29227 #487 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228 #488 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27487 #1690 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27488 #1691 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27491 #1692 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492 #1693 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27493 #1694 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27496 #1695 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35945 #1917 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: GHSA-2wmf-p7f8-w42h #1921 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35941 #1966 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35942 #1968 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35943 #1969 NOT_GO_CODE
Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35944 #1970 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/envoyproxy/envoy
      vulnerable_at: 1.27.0
      packages:
        - package: n/a
cves:
    - CVE-2023-44487
references:
    - web: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
    - web: https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
    - web: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
    - web: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
    - web: https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
    - web: https://news.ycombinator.com/item?id=37831062
    - web: https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
    - web: https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
    - fix: https://github.com/envoyproxy/envoy/pull/30055
    - report: https://github.com/haproxy/haproxy/issues/2312
    - report: https://github.com/eclipse/jetty.project/issues/10679
    - web: https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
    - fix: https://github.com/nghttp2/nghttp2/pull/1961
    - fix: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
    - report: https://github.com/alibaba/tengine/issues/1872
    - report: https://github.com/hyperium/hyper/issues/3337
    - web: https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
    - web: https://news.ycombinator.com/item?id=37830987
    - web: https://news.ycombinator.com/item?id=37830998
    - web: https://chaos.social/@icing/111210915918780532
    - report: https://github.com/caddyserver/caddy/issues/5877
    - web: https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
    - web: https://github.com/bcdannyboy/CVE-2023-44487

The text was updated successfully, but these errors were encountered:

gopherbot · 2023-10-16T13:20:44Z

Change https://go.dev/cl/535696 mentions this issue: data/excluded: batch add 5 excluded reports

jba self-assigned this Oct 11, 2023

jba added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Oct 11, 2023

gopherbot closed this as completed in 70ecfcc Oct 23, 2023

This was referenced Apr 10, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-27919 #2710

Open

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-30255 #2713

Open

GoVulnBot mentioned this issue Apr 18, 2024

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2024-32475 #2735

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106

GoVulnBot commented Oct 10, 2023

gopherbot commented Oct 16, 2023

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106

x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487 #2106

Comments

GoVulnBot commented Oct 10, 2023

gopherbot commented Oct 16, 2023