EXECUTIVE SUMMARY:
CVE-2023-38143 with a CVSS score of 8.5 is a remote denial-of-service (DOS) vulnerability in spdystream, affecting versions less than or equal to 0.5.0. The vulnerability arises from the SPDY/3 frame parser in spdystream not validating attacker-controlled counts and lengths before allocating memory. Specifically, three allocation paths on the receive side are affected: SETTINGS entry count, header count, and header field size. An attacker can send a malicious SPDY frame that decompresses into attacker-controlled bytes, triggering large allocations before any data is read, leading to an out-of-memory crash. An attacker with the ability to send SPDY frames to a service using spdystream can exploit this vulnerability to gain the capability to induce a denial-of-service condition, effectively crashing the process. This has significant business impact, as a remote denial-of-service can lead to downtime, data loss, and financial consequences. Prerequisites or conditions required for exploitation include the ability to send SPDY frames to a service using spdystream, which can be a remote peer or an internal user with appropriate access.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2023-38143 with a CVSS score of 8.5 is a remote denial-of-service (DOS) vulnerability in spdystream, affecting versions less than or equal to 0.5.0. The vulnerability arises from the SPDY/3 frame parser in spdystream not validating attacker-controlled counts and lengths before allocating memory. Specifically, three allocation paths on the receive side are affected: SETTINGS entry count, header count, and header field size. An attacker can send a malicious SPDY frame that decompresses into attacker-controlled bytes, triggering large allocations before any data is read, leading to an out-of-memory crash. An attacker with the ability to send SPDY frames to a service using spdystream can exploit this vulnerability to gain the capability to induce a denial-of-service condition, effectively crashing the process. This has significant business impact, as a remote denial-of-service can lead to downtime, data loss, and financial consequences. Prerequisites or conditions required for exploitation include the ability to send SPDY frames to a service using spdystream, which can be a remote peer or an internal user with appropriate access.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update spdystream to version v0.5.1.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-pc3f-x583-g7j2