x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-44487

[GoVulnBot]

CVE-2023-44487 references github.com/envoyproxy/envoy, which may be a Go module.

Description:
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
• JSON: https://github.com/CVEProject/cvelist/tree/ef0d02ba40744d1e7b210e5582986da5d9538ecd/2023/44xxx/CVE-2023-44487.json
• web: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
• web: https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
• web: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
• web: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
• web: https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
• web: https://news.ycombinator.com/item?id=37831062
• web: https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
• web: https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
• fix: http: Fix CVE CVE-2023-44487 envoyproxy/envoy#30055
• report: H2 rapid reset aka CVE-2023-44487 haproxy/haproxy#2312
• report: Allow HTTP/2 rate control to mitigate HTTP/2 floods (CVE-2023-44487) jetty/jetty.project#10679
• web: https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
• fix: Rework session management nghttp2/nghttp2#1961
• fix: netty/netty@58f75f6
• report: CVE-2023-44487: HTTP/2 Rapid Reset Attack alibaba/tengine#1872
• report: hyper is not affected by CVE-2023-44487 hyperium/hyper#3337
• web: https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
• web: https://news.ycombinator.com/item?id=37830987
• web: https://news.ycombinator.com/item?id=37830998
• web: https://chaos.social/@icing/111210915918780532
• report: HTTP/2 Rapid Reset : CVE-2023-44487 caddyserver/caddy#5877
• web: https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
• web: https://github.com/bcdannyboy/CVE-2023-44487
• Imported by: https://pkg.go.dev/github.com/envoyproxy/envoy?tab=importedby

Cross references:

• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43824 #330 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43825 #331 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2021-43826 #332 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21654 #333 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21655 #334 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21656 #335 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-21657 #336 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-23606 #337 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29224 #484 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29225 #485 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29226 #486 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29227 #487 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2022-29228 #488 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27487 #1690 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27488 #1691 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27491 #1692 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27492 #1693 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27493 #1694 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-27496 #1695 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35945 #1917 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: GHSA-2wmf-p7f8-w42h #1921 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35941 #1966 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35942 #1968 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35943 #1969 NOT_GO_CODE
• Module github.com/envoyproxy/envoy appears in issue x/vulndb: potential Go vuln in github.com/envoyproxy/envoy: CVE-2023-35944 #1970 NOT_GO_CODE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/envoyproxy/envoy
      vulnerable_at: 1.27.0
      packages:
        - package: n/a
cves:
    - CVE-2023-44487
references:
    - web: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
    - web: https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
    - web: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
    - web: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
    - web: https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
    - web: https://news.ycombinator.com/item?id=37831062
    - web: https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
    - web: https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
    - fix: https://github.com/envoyproxy/envoy/pull/30055
    - report: https://github.com/haproxy/haproxy/issues/2312
    - report: https://github.com/eclipse/jetty.project/issues/10679
    - web: https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
    - fix: https://github.com/nghttp2/nghttp2/pull/1961
    - fix: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
    - report: https://github.com/alibaba/tengine/issues/1872
    - report: https://github.com/hyperium/hyper/issues/3337
    - web: https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
    - web: https://news.ycombinator.com/item?id=37830987
    - web: https://news.ycombinator.com/item?id=37830998
    - web: https://chaos.social/@icing/111210915918780532
    - report: https://github.com/caddyserver/caddy/issues/5877
    - web: https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
    - web: https://github.com/bcdannyboy/CVE-2023-44487

[gopherbot]

Change https://go.dev/cl/535696 mentions this issue: data/excluded: batch add 5 excluded reports