CVE-2023-45288: 
cAdvisor vulnerability analysis and mitigation

CVE-2023-45288 is a vulnerability in the HTTP/2 protocol implementation of the Go programming language, discovered by Bartek Nowotarski. The vulnerability was disclosed in April 2024 and affects Go versions prior to 1.21.9 and from 1.22.0-0 before 1.22.2 (net/http), as well as versions prior to 0.23.0 (golang.org/x/net/http2) (Go Announcement, Go Vuln DB).

The vulnerability occurs when processing HTTP/2 CONTINUATION frames. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This allows an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, which will be processed even though the request will ultimately be rejected. The headers can include Huffman-encoded data that is significantly more expensive for the receiver to decode than for an attacker to send (CERT VU, Go Issue).

The vulnerability can lead to a Denial of Service (DoS) condition through excessive CPU consumption. The attack is particularly effective because the Huffman-encoded headers require significantly more processing power to decode than to generate, allowing attackers to cause resource exhaustion with minimal effort. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (HIGH) (NetApp Advisory).

The primary mitigation is to update to Go versions 1.21.9 or 1.22.2 or later, which include a fix that sets a limit on the amount of excess header frames processed before closing a connection. For environments where HTTP/2 support is not required, it may be possible to disable this feature to reduce risk (Go Announcement, NetApp Advisory).