{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/http3/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["netty-codec-http3 (\u003c= 4.2.12.Final)"],"_cs_severities":["medium"],"_cs_tags":["netty","http3","qpack","denial-of-service","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Netty"],"content_html":"\u003cp\u003eA vulnerability exists in Netty\u0026rsquo;s HTTP/3 QPACK decoder (versions 4.2.12.Final and earlier) that can be exploited to cause a denial-of-service (DoS) condition. The vulnerability stems from the \u003ccode\u003eio.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral\u003c/code\u003e function, which allocates memory for HTTP/3 headers based on lengths provided in the header itself, without properly validating that the declared length corresponds to available data. A malicious actor can craft a small HTTP/3 HEADERS frame containing a QPACK section that decodes to a large non-Huffman name length, causing the server to allocate a large byte array (on the order of a gigabyte). This can exhaust server memory, leading to performance degradation or a complete crash.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts an HTTP/3 HEADERS frame with a malicious QPACK section.\u003c/li\u003e\n\u003cli\u003eThe QPACK section is designed to trigger the non-Huffman branch of \u003ccode\u003eio.netty.handler.codec.http3.QpackDecoder#decodeHuffmanEncodedLiteral\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets a very large length value for a string literal within the QPACK section. The encoding allows a large length to be expressed in few bytes.\u003c/li\u003e\n\u003cli\u003eThe Netty server receives the malicious HTTP/3 HEADERS frame.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eQpackDecoder\u003c/code\u003e attempts to allocate a byte array of the size specified in the malicious header using \u003ccode\u003enew byte[length]\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the missing length validation, the server allocates a potentially gigabyte-sized byte array.\u003c/li\u003e\n\u003cli\u003eThe server experiences high memory consumption and potential resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe server slows down, stalls, or crashes due to the excessive memory allocation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition, where the server becomes unresponsive or crashes. This affects applications using the vulnerable versions of \u003ccode\u003enetty-codec-http3\u003c/code\u003e. A single crafted HTTP/3 HEADERS frame can trigger gigabytes of memory allocation, making the server susceptible to resource exhaustion under relatively low request volumes. This can disrupt services, impacting availability and potentially leading to data loss or corruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003enetty-codec-http3\u003c/code\u003e that addresses the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect attempts to exploit this vulnerability by monitoring for unusually large memory allocations associated with HTTP/3 header decoding.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on HTTP/3 requests to mitigate the impact of a large number of malicious requests.\u003c/li\u003e\n\u003cli\u003eMonitor server resource utilization (CPU, memory) for unusual spikes that may indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-netty-http3-qpack/","summary":"A vulnerability in Netty's HTTP/3 QPACK decoder allows an attacker to cause a denial of service by sending a crafted HTTP/3 header that triggers excessive memory allocation, leading to a server crash.","title":"Netty HTTP/3 QPACK Literal Unbounded Allocation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-netty-http3-qpack/"}],"language":"en","title":"CraftedSignal Threat Feed — Http3","version":"https://jsonfeed.org/version/1.1"}