CVE-2023-45288: HTTP/2 CONTINUATION flood in net/http

Published Mar 6, 2024
ยท
Updated

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Affected Software

143 affected componentsFixes available
go/golang.org/x/net<0.23.0
0.23.0
go/net/http>=1.22.0-0<1.22.2
1.22.2
go/golang.org/x/net/http2<0.23.0
0.23.0
go/net/http<1.21.9
1.21.9
debian/golang-1.15<=1.15.15-1~deb11u4
debian/golang-1.19<=1.19.8-2
debian/golang-golang-x-net<=1:0.0+git20210119.5f4716e+dfsg-4, <=1:0.7.0+dfsg-1
1:0.27.0-1
IBM Concert Software<=1.0.0-1.1.0
redhat/golang<1.22.2
1.22.2
redhat/golang<1.21.9
1.21.9
redhat/golang.org/x/net<0.23.0
0.23.0
Microsoft cbl2 moby-engine 24.0.9-16
Patch available
Microsoft cbl2 telegraf 1.29.4-15
Patch available
Microsoft cbl2 helm 3.14.2-5
Patch available
Microsoft cbl2 coredns 1.11.1-18
Patch available
Microsoft cbl2 cri-tools 1.29.0-6
Patch available
Microsoft cbl2 etcd 3.5.12-6
Patch available
Microsoft cbl2 helm 3.14.2-2
Patch available
Microsoft cbl2 moby-containerd-cc 1.7.7-4
Patch available
Microsoft cbl2 nmi 1.8.17-2
Patch available
Microsoft cbl2 kured 1.14.2-3
Patch available
Microsoft cbl2 moby-compose 2.17.3-3
Patch available
Microsoft cbl2 cert-manager 1.11.2-9
Patch available
Microsoft cbl2 skopeo 1.14.2-10
Patch available
Microsoft cbl2 cert-manager 1.11.2-22
Patch available
Microsoft cbl2 helm 3.14.2-5
Patch available
Microsoft cbl2 blobfuse2 2.1.2-8
Patch available
Microsoft cbl2 sriov-network-device-plugin 3.6.2-9
Patch available
Microsoft cbl2 vitess 16.0.2-9
Patch available
Microsoft cbl2 moby-compose 2.17.3-10
Patch available
Microsoft cbl2 kubernetes 1.28.4-17
Patch available
Microsoft azl3 packer 1.9.5-6
Patch available
Microsoft azl3 ig 0.25.0-2
Patch available
Microsoft azl3 azcopy 10.24.0-1
Patch available
Microsoft azl3 libcontainers-common 20240213-3
Patch available
Microsoft azl3 local-path-provisioner 0.0.24-5
Patch available
Microsoft azl3 kube-vip-cloud-provider 0.0.7-1
Patch available
Microsoft azl3 coredns 1.11.1-4
Patch available
Microsoft azl3 blobfuse2 2.1.0-4
Patch available
Microsoft azl3 docker-buildx 0.12.1-1
Patch available
Microsoft azl3 skopeo 1.14.4-5
Patch available
Microsoft azl3 vitess 17.0.2-1
Patch available
Microsoft azl3 gh 2.43.1-2
Patch available
Microsoft azl3 kubernetes 1.29.1-4
Patch available
Microsoft azl3 application-gateway-kubernetes-ingress 1.7.7-1
Patch available
Microsoft azl3 kubernetes 1.30.1-1
Patch available
Microsoft azl3 skopeo 1.14.4-3
Patch available
Microsoft cbl2 kata-containers 3.2.0.azl2-6
Patch available
Microsoft azl3 jx 3.10.116-2
Patch available
Microsoft azl3 docker-buildx 0.14.0-1
Patch available
Microsoft azl3 etcd 3.5.18-1
Patch available
Microsoft azl3 cf-cli 8.7.3-6
Patch available
Microsoft azl3 kured 1.15.0-2
Patch available
Microsoft azl3 blobfuse2 2.3.0-1
Patch available
Microsoft azl3 docker-cli 25.0.7-1
Patch available
Microsoft azl3 prometheus-node-exporter 1.7.0-2
Patch available
Microsoft azl3 coredns 1.11.1-2
Patch available
Microsoft azl3 containerd 1.7.13-6
Patch available
Microsoft azl3 telegraf 1.31.0-1
Patch available
Microsoft azl3 cert-manager 1.12.12-1
Patch available
Microsoft azl3 local-path-provisioner 0.0.24-3
Patch available
Microsoft azl3 moby-containerd-cc 1.7.7-6
Patch available
Microsoft azl3 node-problem-detector 0.8.15-4
Patch available
Microsoft azl3 git-lfs 3.6.1-1
Patch available
Microsoft azl3 libcontainers-common 20240213-2
Patch available
Microsoft azl3 docker-compose 2.27.0-1
Patch available
Microsoft azl3 vitess 19.0.4-2
Patch available
Microsoft azl3 kube-vip-cloud-provider 0.0.10-1
Patch available
Microsoft azl3 flannel 0.24.2-10
Patch available
Microsoft azl3 gh 2.62.0-1
Patch available
Microsoft azl3 containerized-data-importer 1.57.0-11
Patch available
Microsoft azl3 prometheus-adapter 0.12.0-1
Patch available
Microsoft azl3 azcopy 10.25.1-1
Patch available
Microsoft azl3 kubevirt 1.2.0-13
Patch available
Microsoft azl3 opa 0.63.0-1
Patch available
Microsoft azl3 moby-engine 25.0.3-10
Patch available
Microsoft azl3 influxdb 2.7.3-6
Patch available
Microsoft azl3 cri-tools 1.30.1-1
Patch available
Microsoft azl3 prometheus 2.45.4-4
Patch available
Microsoft azl3 multus 4.0.2-3
Patch available
Microsoft azl3 ig 0.29.0-1
Patch available
Microsoft azl3 kata-containers 3.2.0.azl4-1
Patch available
Microsoft azl3 kata-containers-cc 3.2.0.azl4-1
Patch available
Microsoft cbl2 packer 1.10.1-2
Patch available
Microsoft azl3 helm 3.15.2-1
Patch available
Microsoft cbl2 kata-containers-cc 3.2.0.azl2-1
Patch available
Microsoft cbl2 sriov-network-device-plugin 3.6.2-3
Patch available
Microsoft cbl2 moby-containerd 1.6.26-5
Patch available
Microsoft cbl2 moby-engine 24.0.9-2
Patch available
Microsoft cbl2 kata-containers 3.2.0.azl2-1
Patch available
Microsoft cbl2 vitess 16.0.2-8
Patch available
Microsoft cbl2 kubernetes 1.28.4-7
Patch available
Microsoft cbl2 blobfuse2 2.1.2-3
Patch available
Microsoft cbl2 kubevirt 0.59.0-16
Patch available
Microsoft cbl2 cri-tools 1.29.0-2
Patch available
Microsoft cbl2 skopeo 1.14.2-3
Patch available
Microsoft cbl2 node-problem-detector 0.8.17-3
Patch available
Microsoft cbl2 etcd 3.5.12-2
Patch available
Microsoft cbl2 telegraf 1.29.4-3
Patch available
Microsoft cbl2 multus 4.0.2-3
Patch available
Microsoft cbl2 opa 0.63.0-2
Patch available
Microsoft cbl2 git-lfs 3.5.1-1
Patch available
Microsoft cbl2 moby-cli 24.0.9-3
Patch available
Microsoft cbl2 nmi 1.8.17-3
Patch available
Microsoft cbl2 prometheus 2.37.9-2
Patch available
Microsoft cbl2 azcopy 10.24.0-1
Patch available
Microsoft cbl2 prometheus 2.37.9-4
Patch available
Microsoft cbl2 azcopy 10.24.0-3
Patch available
Microsoft cbl2 moby-cli 24.0.9-6
Patch available
Microsoft cbl2 git-lfs 3.5.1-5
Patch available
Microsoft azl3 kata-containers-cc 3.2.0.azl3-1
Patch available
Microsoft cbl2 coredns 1.11.1-8
Patch available
Microsoft azl3 prometheus 2.45.4-12
Patch available
Microsoft azl3 kata-containers 3.2.0.azl3-2
Patch available
Microsoft cbl2 multus 4.0.2-7
Patch available
Microsoft cbl2 telegraf 1.29.4-15
Patch available
Microsoft cbl2 opa 0.63.0-4
Patch available
Microsoft cbl2 node-problem-detector 0.8.17-6
Patch available
Microsoft cbl2 moby-containerd 1.6.26-11
Patch available
Microsoft cbl2 nmi 1.8.17-1
Patch available
Microsoft cbl2 kured 1.14.2-5
Patch available
Microsoft cbl2 moby-containerd-cc 1.7.7-11
Patch available
Microsoft cbl2 kubevirt 0.59.0-28
Patch available
Microsoft cbl2 moby-engine 24.0.9-16
Patch available
Microsoft azl3 helm 3.13.2-3
Patch available
Microsoft cbl2 packer 1.9.5-5
Patch available
Microsoft cbl2 kata-containers-cc 3.2.0.azl2-6
Patch available
Microsoft azl3 influxdb 2.7.5-5
Patch available
Microsoft azl3 prometheus-adapter 0.11.2-1
Patch available
Microsoft azl3 moby-engine 25.0.3-13
Patch available
Microsoft azl3 cri-tools 1.29.0-1
Patch available
Microsoft azl3 kubevirt 1.2.0-17
Patch available
Microsoft azl3 containerized-data-importer 1.57.0-14
Patch available
Microsoft azl3 flannel 0.24.2-14
Patch available
Microsoft azl3 moby-containerd-cc 1.7.7-9
Patch available
Microsoft azl3 docker-compose 2.24.6-2
Patch available
Microsoft azl3 prometheus-node-exporter 1.7.0-3
Patch available
Microsoft azl3 application-gateway-kubernetes-ingress 1.7.2-3
Patch available
Microsoft azl3 cert-manager 1.11.2-8
Patch available
Microsoft azl3 telegraf 1.29.4-1
Patch available
Microsoft azl3 git-lfs 3.4.1-1
Patch available
Microsoft azl3 etcd 3.5.12-2
Patch available
Microsoft azl3 docker-cli 25.0.3-3
Patch available

Remediation

Patch Available

https://github.com/golang/go/commit/ae5913347d15cf7d1f218916c22717e5739a9ea3

Patch Available

https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b

Event History

Mar 6, 2024
Data Sourced
via Red Hatยท08:49 PM
DescriptionSeverityAffected Software
Apr 4, 2024
CVE Published
via MITREยท08:37 PM
Data Sourced
via MITREยท08:37 PM
DescriptionWeakness
Data Sourced
via NVDยท09:15 PM
DescriptionSeverity
Advisory Published
via GitHubยท09:30 PM
Apr 8, 2024
Data Sourced
via Microsoftยท07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoftยท07:00 AM
Affected Software
Updated
via Microsoftยท07:00 AM
Affected Software
Updated
via Microsoftยท07:00 AM
SeverityAffected Software
Updated
via Microsoftยท07:00 AM
DescriptionSeverity
Jul 9, 2024
Data Sourced
via Launchpadยท03:35 PM
Description
Nov 15, 2024
Data Sourced
via Ubuntuยท01:21 PM
RemedyDescriptionSeverityAffected Software
Sep 8, 2025
Data Sourced
via IBMยท12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2023-45288?

CVE-2023-45288 is considered a high-severity vulnerability as it allows an attacker to read arbitrary amounts of header data.

2

How do I fix CVE-2023-45288?

To fix CVE-2023-45288, upgrade to the latest versions of affected packages such as golang.org/x/net version 0.23.0 or net/http version 1.22.2.

3

Which software is affected by CVE-2023-45288?

Software affected by CVE-2023-45288 includes older versions of golang.org/x/net, net/http, and IBM Planning Analytics Workspace.

4

What types of attacks are possible with CVE-2023-45288?

An attacker can exploit CVE-2023-45288 by sending excessive CONTINUATION frames, which may lead to header data exposure.

5

Is there a workaround for CVE-2023-45288?

There is no documented workaround for CVE-2023-45288, so upgrading to the patched versions is advised.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
ยฉ 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203