HCSEC-2023-32 - Vault, Consul, and Boundary Affected By HTTP/2 “Rapid Reset” Denial of Service Vulnerability (CVE-2023-44487)

jfinnigan · 2023-11-02T22:19:10.894Z

Bulletin ID: HCSEC-2023-32
Affected Products / Versions:

Vault and Vault Enterprise; vulnerable components updated in 1.15.1, 1.14.5, and 1.13.9.
Consul and Consul Enterprise; vulnerable components updated in 1.16.3, 1.15.7, and 1.14.11.
Boundary and Boundary Enterprise; vulnerable components updated in 0.14.1.

Some products dependent on vulnerable components were not affected as they did not expose HTTP/2 services, but have updated regardless:

Terraform; vulnerable components updated in 1.6.3.
Terraform Enterprise; vulnerable components updated in v202311-1.
Nomad and Nomad Enterprise; vulnerable components updated in 1.6.3, 1.5.10, and 1.4.14.

Publication Date: November 2, 2023

Summary
A denial of service vulnerability was identified in many implementations of the HTTP/2 protocol (CVE-2023-44487), including Go’s implementation (CVE-2023-39325). This was addressed by updating vulnerable components for the affected HashiCorp products listed above.

Background
In October 2023, a vulnerability in various implementations of the HTTP/2 protocol was publicized via coordinated disclosure. Dubbed “Rapid Reset”, this vulnerability (CVE-2023-44487, 7.5 CVSS) allowed attackers to exploit HTTP/2 stream reset behavior to consume excessive server resources and potentially cause denial of service.

The Go team announced that Go’s HTTP/2 implementation was affected (CVE-2023-39325).

Details
Most HashiCorp community, self-managed, and cloud products are built with or contain components that are built with Go. A subset of these products use the HTTP functionality associated with these CVEs.

Exposure to this denial of service vulnerability was found to vary depending on product-specific implementations, as well as deployment-specific architectures and associated security controls. Assuming network-level access to the service in question, the vulnerability may be exploited by an unauthenticated attacker to cause denial of service. Deployments of affected products that expose HTTP-accessed web interfaces or APIs to the open Internet are more likely to be at risk.

HashiCorp teams have completed an initial assessment and issued new community and self-managed product releases, built with updated Go versions and affected dependencies, as determined necessary.

Teams have also completed an initial assessment of HashiCorp cloud products and associated service providers, and taken steps to remediate this vulnerability.

We will continue to monitor the situation and take further steps as necessary. We take a risk-based approach to adopting dependency updates including security fixes as part of our ongoing product development lifecycle.

Remediation
Customers should evaluate the risk associated with this issue (as noted above, exposure will depend on deployment-specific architectures and associated security controls) and consider upgrading to new product releases as appropriate.

Please refer to individual product documentation (available via HashiCorp Developer) or release notes for product-specific guidance.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.