-
Type: Bug
-
Resolution: Fixed
-
Priority: Critical - P2
-
Affects Version/s: None
-
Component/s: All Tools
-
TAR 2023-10-30
This is an automated filing. For more information please see the wiki.
Vulnerability: mongodb/mongo-tools master :go.mod - Denial of Service DoS in golang.org/x/net
Package: golang.org/x/net@v0.10.0 within mongodb/mongo-tools(master):go.mod
Version: <0.17.0
Introduced through: golang.org/x/net@v0.10.0
Snyk Link: https://app.snyk.io/org/cloud/project/abad283d-9d91-425f-9249-691c96514f87
Upgrade Path: golang.org/x/net@0.17.0
Description
https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-5953327
- Overview
[golang.org/x/net/http2](https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme) is a work-in-progress HTTP/2 implementation for Go.Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.
- Remediation
Upgrade `golang.org/x/net/http2` to version 0.17.0 or higher.- References
- [GitHub Commit](https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49)
- [GitHub Commit](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e)
- [GitHub Commit](https://github.com/eclipse/jetty.project/commit/dbb94514dc9d3fb21fe92080f57c314e7e06a148)
- [GitHub Commit](https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61)
- [GitHub Commit](https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832)
- [Snyk Blog](https://snyk.io/blog/find-fix-http-2-rapid-reset-zero-day-vulnerability-cve-2023-44487/)
- [Vulnerability Discovery](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)
- [Vulnerability Explanation](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)
- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Risk Rating
CVSSv3: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:H
CVSSSCORE: 7.5
Severity: high
CVE: CVE-2023-44487
CWE: CWE-400
Dependency Chain:
1) golang.org/x/net:v0.10.0
2) golang.org/x/net:v0.10.0 <-- github.com/aws/aws-sdk-go:v1.44.317
3) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0
4) golang.org/x/net:v0.10.0 <-- github.com/craiggwilson/goke:v0.0.0-20220110201909-adb8bfb05d58
5) golang.org/x/net:v0.10.0 <-- github.com/aws/aws-sdk-go:v1.44.317 <-- github.com/craiggwilson/goke:v0.0.0-20220110201909-adb8bfb05d58
6) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/gopherjs/gopherjs:v1.17.2
7) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/youmark/pkcs8:v0.0.0-20201027041543-1326539a0a0a
8) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/gopherjs/gopherjs:v1.17.2 <-- github.com/smartystreets/goconvey:v1.6.4
9) golang.org/x/net:v0.10.0 <-- golang.org/x/crypto:v0.12.0 <-- github.com/youmark/pkcs8:v0.0.0-20201027041543-1326539a0a0a <-- go.mongodb.org/mongo-driver:v1.10.3
Next Steps
1. Verify that you agree with the given CVSSv3 score/due date. If you don't, link a new cvssv3 score (https://www.first.org/cvss/calculator/3.1), and cc one of your teammates. If both of you are in agreement on the new risk rating, adjust the CVSS score/duedate/priority on the ticket.
2. Upgrade the package by the fix date.
3. Take pride in knowing you made MongoDB a safer place.
Questions / Concerns
If there are any questions concerns, check out the wiki. Thanks!
- is duplicated by
-
TOOLS-3385 mongodb/mongo-tools master :go.mod - Denial of Service DoS in golang.org/x/net
- Closed
-
TOOLS-3387 mongodb/mongo-tools master :go.mod - Denial of Service DoS in golang.org/x/net
- Closed
- links to