ghsa-wgh7-54f2-x98r
Vulnerability from github
Published
2023-10-10 21:16
Modified
2024-06-21 21:33
Summary
HTTP/2 HPACK integer overflow and buffer allocation
Details

An integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values to exceed their size limit.

In MetaDataBuilder.java, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded:

java 291 public void checkSize(int length, boolean huffman) throws SessionException 292 { 293 // Apply a huffman fudge factor 294 if (huffman) 295 length = (length * 4) / 3; 296 if ((_size + length) > _maxSize) 297 throw new HpackException.SessionException("Header too large %d > %d", _size + length, _maxSize); 298 }

However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered.

Furthermore, MetaDataBuilder.checkSize allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2.

In MetaDataBuilder.java, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded:

java public void checkSize(int length, boolean huffman) throws SessionException { // Apply a huffman fudge factor if (huffman) length = (length * 4) / 3; if ((_size + length) > _maxSize) throw new HpackException.SessionException("Header too large %d > %d", _size + length, _maxSize); }

However, no exception is thrown in the case of a negative size. Later, in Huffman.decode, the user-entered length is multiplied by 2 before allocating a buffer:

java public static String decode(ByteBuffer buffer, int length) throws HpackException.CompressionException { Utf8StringBuilder utf8 = new Utf8StringBuilder(length * 2); // ...

This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server.

Exploit Scenario 1

An attacker repeatedly sends HTTP messages with the HPACK header 0x00ffffffffff02. Each time this header is decoded: + HpackDecode.decode will determine that a Huffman-coded value of length 805306494 needs to be decoded. + MetaDataBuilder.checkSize will approve this length. + Huffman.decode will allocate a 1.6 GB string array. + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens. (Note: this can be delayed by appending valid huffman-coded characters to the end of the header.)

Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory.

Exploit Scenario 2

An attacker repeatedly sends HTTP messages with the HPACK header 0x00ff8080ffff0b. Each time this header is decoded: + HpackDecode.decode will determine that a Huffman-coded value of length -1073758081 needs to be decoded + MetaDataBuilder.checkSize will approve this length + The number will be multiplied by 2 to get 2147451134, and Huffman.decode will allocate a 2.1 GB string array + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens (Note that this deallocation can be delayed by adding valid Huffman-coded characters to the end of the header)

Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory.

Impact

Users of HTTP/2 can be impacted by a remote denial of service attack.

Patches

Fixed in Jetty 10.0.16 and Jetty 11.0.16 Fixed in Jetty 9.4.53 Jetty 12.x is unaffected.

Workarounds

No workarounds possible, only patched versions of Jetty.

References

  • https://github.com/eclipse/jetty.project/pull/9634
Show details on source website


{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.15"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.http2:http2-hpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.15"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.http2:http2-hpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 10.0.15"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.http3:http3-qpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 11.0.15"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.http3:http3-qpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.4.52"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.jetty.http2:http2-hpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.3.0"
            },
            {
              "fixed": "9.4.53"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-36478"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-10T21:16:23Z",
    "nvd_published_at": "2023-10-10T17:15:11Z",
    "severity": "HIGH"
  },
  "details": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to\nexceed their size limit. \n\nIn `MetaDataBuilder.java`, the following code determines if a header name or value\nexceeds the size limit, and throws an exception if the limit is exceeded:\n\n```java\n291 public void checkSize(int length, boolean huffman) throws SessionException\n292 {\n293 // Apply a huffman fudge factor\n294 if (huffman)\n295 length = (length * 4) / 3;\n296 if ((_size + length) \u003e _maxSize)\n297 throw new HpackException.SessionException(\"Header too large %d \u003e %d\",\n_size + length, _maxSize);\n298 }\n```\n\nHowever, when length is very large and huffman is true, the multiplication by 4 in line 295\nwill overflow, and length will become negative. (_size+length) will now be negative, and\nthe check on line 296 will not be triggered.\n\nFurthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be\nnegative, potentially leading to a very large buffer allocation later on when the\nuser-entered size is multiplied by 2.\n\nIn `MetaDataBuilder.java`, the following code determines if a header name or value\nexceeds the size limit, and throws an exception if the limit is exceeded:\n\n```java\npublic void checkSize(int length, boolean huffman) throws SessionException\n{\n// Apply a huffman fudge factor\nif (huffman)\nlength = (length * 4) / 3;\nif ((_size + length) \u003e _maxSize)\nthrow new HpackException.SessionException(\"Header too large %d \u003e %d\", _size\n+ length, _maxSize);\n}\n```\n\nHowever, no exception is thrown in the case of a negative size.\nLater, in `Huffman.decode`, the user-entered length is multiplied by 2 before allocating a buffer:\n\n```java\npublic static String decode(ByteBuffer buffer, int length) throws\nHpackException.CompressionException\n{\nUtf8StringBuilder utf8 = new Utf8StringBuilder(length * 2);\n// ...\n```\n\nThis means that if a user provides a negative length value (or, more precisely, a length\nvalue which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a\nvery large positive number when multiplied by 2, then the user can cause a very large\nbuffer to be allocated on the server.\n\n\n### Exploit Scenario 1\nAn attacker repeatedly sends HTTP messages with the HPACK header 0x00ffffffffff02.\nEach time this header is decoded:\n+ `HpackDecode.decode` will determine that a Huffman-coded value of length\n805306494 needs to be decoded.\n+ `MetaDataBuilder.checkSize` will approve this length.\n+ Huffman.decode will allocate a 1.6 GB string array.\n+ Huffman.decode will have a buffer overflow error, and the array will be deallocated\nthe next time garbage collection happens. (Note: this can be delayed by appending\nvalid huffman-coded characters to the end of the header.)\n\nDepending on the timing of garbage collection, the number of threads, and the amount of\nmemory available on the server, this may cause the server to run out of memory.\n\n\n### Exploit Scenario 2\nAn attacker repeatedly sends HTTP messages with the HPACK header 0x00ff8080ffff0b. Each\ntime this header is decoded:\n + HpackDecode.decode will determine that a Huffman-coded value of length\n-1073758081 needs to be decoded\n +  MetaDataBuilder.checkSize will approve this length\n + The number will be multiplied by 2 to get 2147451134, and Huffman.decode will\nallocate a 2.1 GB string array\n + Huffman.decode will have a buffer overflow error, and the array will be deallocated\nthe next time garbage collection happens (Note that this deallocation can be\ndelayed by adding valid Huffman-coded characters to the end of the header)\n\nDepending on the timing of garbage collection, the number of threads, and the amount of\nmemory available on the server, this may cause the server to run out of memory.\n\n### Impact\nUsers of HTTP/2 can be impacted by a remote denial of service attack.\n\n### Patches\nFixed in Jetty 10.0.16 and Jetty 11.0.16\nFixed in Jetty 9.4.53\nJetty 12.x is unaffected.\n\n### Workarounds\nNo workarounds possible, only patched versions of Jetty.\n\n### References\n* https://github.com/eclipse/jetty.project/pull/9634",
  "id": "GHSA-wgh7-54f2-x98r",
  "modified": "2024-06-21T21:33:57Z",
  "published": "2023-10-10T21:16:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-wgh7-54f2-x98r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36478"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/pull/9634"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse/jetty.project"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231116-0011"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20240621-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5540"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/10/18/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HTTP/2 HPACK integer overflow and buffer allocation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.