This is an automated filing. For more information please see the wiki.

Vulnerability: mongodb/mongo-tools master :go.mod - Denial of Service DoS in golang.org/x/net

Package: golang.org/x/net@v0.10.0 within mongodb/mongo-tools(master):go.mod
Version: <0.17.0
Introduced through: golang.org/x/net@v0.10.0
Snyk Link: https://app.snyk.io/org/cloud/project/abad283d-9d91-425f-9249-691c96514f87
Upgrade Path: golang.org/x/net@0.17.0

Description

https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327

1. 1. Overview
      [golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

1. 1. Remediation
      Upgrade `golang.org/x/net/http2` to version 0.17.0 or higher.
   2. References

• [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)
• [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)
• [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)
• [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)
• [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)
• [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)
• [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)
• [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)
• [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Risk Rating

CVSSv3: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H
CVSSSCORE: 7.5
Severity: high
CVE: CVE-2023-44487
CWE: CWE-400

Dependency Chain:

1) golang.org/x/net:v0.10.0
2) golang.org/x/net:v0.10.0 <-- github.com/aws/aws-sdk-go:v1.44.317
3) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0
4) golang.org/x/net:v0.10.0 <-- github.com/craiggwilson/goke:v0.0.0-20220110201909-adb8bfb05d58
5) golang.org/x/net:v0.10.0 <-- github.com/aws/aws-sdk-go:v1.44.317 <-- github.com/craiggwilson/goke:v0.0.0-20220110201909-adb8bfb05d58
6) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/gopherjs/gopherjs:v1.17.2
7) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/youmark/pkcs8:v0.0.0-20201027041543-1326539a0a0a
8) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/gopherjs/gopherjs:v1.17.2 <-- github.com/smartystreets/goconvey:v1.6.4
9) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/youmark/pkcs8:v0.0.0-20201027041543-1326539a0a0a <-- go.mongodb.org/mongo-driver:v1.10.3

Next Steps

1. Verify that you agree with the given CVSSv3 score/due date. If you don't, link a new cvssv3 score (https://www.first.org/cvss/calculator/3.1), and cc one of your teammates. If both of you are in agreement on the new risk rating, adjust the CVSS score/duedate/priority on the ticket.

2. Upgrade the package by the fix date.

3. Take pride in knowing you made MongoDB a safer place.

Questions / Concerns

If there are any questions concerns, check out the wiki. Thanks!