Suricata HTTP/2 Stream 0 Data Handling Resource Starvation Vulnerability

A vulnerability in Suricata, a network IDS, IPS, and NSM engine, has been identified in versions 7.0.10 and prior, as well as 8.0.0-beta1 through 8.0.0-rc1. The issue arises from improper management of data on HTTP/2 stream 0, which can cause uncontrolled memory consumption, leading to a degradation of visibility within the application. This vulnerability can be exploited by sending HTTP/2 frames of type DATA on stream 0, contrary to the protocol's specifications, which require such frames to be treated as a connection error.

Impact

Exploitation of this vulnerability can cause resource starvation, resulting in uncontrolled memory usage and a loss of visibility within the Suricata application.

Remediation

Users can upgrade to Suricata versions 7.0.11 or 8.0.0 to address this vulnerability. Alternatively, the HTTP/2 parser can be disabled, and a specific signature can be used to drop HTTP/2 frames on stream 0.