h2: Reset Flood vulnerability may lead to resource exhaustion and DOS (…

…#1852) * h2: Reset Flood vulnerability may lead to resource exhaustion and DOS Add Reset Flood advisory for older versions of h2. * fix specs * Fix version specification * move reset flood cve out of alias section * remove informational section Co-authored-by: Sergey "Shnatsel" Davidoff <[email protected]> * add rustsec advisory from hyper psuedo-rapid-reset to related list * remove everything other than reset flood from related list --------- Co-authored-by: Sergey "Shnatsel" Davidoff <[email protected]>
rustsec · Jan 17, 2024 · d414753 · d414753
1 parent 826f71c
commit d414753
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/crates/h2/RUSTSEC-0000-0000.md b/crates/h2/RUSTSEC-0000-0000.md
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "h2"
+date = "2024-01-17"
+references = ["https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"]
+categories = ["denial-of-service"]
+keywords = ["http", "http2", "h2"]
+related = ["CVE-2019-9514"]
+
+[versions]
+patched = ["^0.3.24", ">= 0.4.2"]
+```
+
+# Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
+
+An attacker with an HTTP/2 connection to an affected endpoint can send a steady stream of invalid frames to force the
+generation of reset frames on the victim endpoint.
+By closing their recv window, the attacker could then force these resets to be queued in an unbounded fashion,
+resulting in Out Of Memory (OOM) and high CPU usage.
+
+This fix is corrected in [hyperium/h2#737](https://github.com/hyperium/h2/pull/737), which limits the total number of
+internal error resets emitted by default before the connection is closed.