CVE-2023-39325: 
Docker vulnerability analysis and mitigation

CVE-2023-39325 is a vulnerability in Go's HTTP/2 implementation discovered in October 2023. The vulnerability affects net/http prior to versions 1.20.10 and 1.21.3, as well as golang.org/x/net/http2 prior to v0.17.0. This vulnerability allows a malicious HTTP/2 client to cause excessive server resource consumption through rapid request creation and immediate resets (NVD, Go Issue).

The vulnerability occurs when a malicious client exploits the HTTP/2 protocol by rapidly creating requests and immediately resetting them. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting (default 250 streams per connection), resetting an in-progress request allows the attacker to create new requests while existing ones are still executing, leading to resource exhaustion. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

Successful exploitation of this vulnerability can lead to Denial of Service (DoS) through excessive server resource consumption. The attack affects the availability of HTTP/2 servers by causing them to exhaust resources handling concurrent requests (NetApp Advisory).

The vulnerability has been fixed in Go versions 1.20.10 and 1.21.3, and in golang.org/x/net/http2 v0.17.0. The fix implements bounds on the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit are queued until a handler exits, and if the request queue grows too large, the server terminates the connection. Users can adjust the stream concurrency limit using the golang.org/x/net/http2 package's Server.MaxConcurrentStreams setting (Go Announcement).