Update as of December 5, 2017, the issue has been fixed in the 1.19.2 release. In Go before 1.18.6 and 1.19.x before 1.19.1, an HTTP/2 connection can hang during connection termination due to an issue with how HTTP/2 handles closing. An attacker could exploit this vulnerability by creating a malicious HTTP/2 server on the targeted system that sends a large number of invalid requests to an HTTP/1 server on the targeted system. An attacker could leverage the vulnerability to consume all available system resources, resulting in a denial of service. The issue is resolved in Go by updating to version 1.19.2. CVE-2017-15906 In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, an HTTP/2 connection can hang during shutdown if SETTINGS_NO_ERRORS is enabled. An attacker could exploit this vulnerability by creating a malicious HTTP/2 server on the targeted system that sends a large number of invalid requests to an HTTP/1 server on the targeted system. An attacker could leverage the vulnerability to consume all available system resources, resulting in a denial of service. The issue is resolved in Go by updating to version 1.19.2. CVE-2017-15907 In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, an HTTP/2 connection can
Potential Additional Impact
It is recommended that all Go users upgrade to Go 1.19.2 or later releases.
Timeline
Published on: 09/06/2022 18:15:00 UTC
Last modified on: 09/23/2022 15:15:00 UTC
References
- https://groups.google.com/g/golang-announce/c/x49AQzIVX-s
- https://groups.google.com/g/golang-announce
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXS2OQ57KZC5XZKK5UW4SYKPVQAHIOJX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JXKTHIGE5F576MAPFYCIJXNRGBSPISUF/
- https://security.netapp.com/advisory/ntap-20220923-0004/
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27664