Netty MadeYouReset DDoS Vulnerability in HTTP/2 Control Frame Handling

A denial-of-service vulnerability has been identified in Netty versions through 4.2.3.Final and 4.1.123.Final. This issue, known as the MadeYouReset vulnerability, arises from a logical flaw in the HTTP/2 protocol implementation. It involves the use of malformed HTTP/2 control frames to manipulate the maximum concurrent streams limit, leading to resource exhaustion and a distributed denial-of-service condition. The vulnerability exploits the incorrect counting of active streams, allowing an attacker to overwhelm the server by creating an unbounded number of concurrent streams on a single connection.

Impact

Exploitation of this vulnerability causes CPU overload and/or memory exhaustion, depending on the specific implementation of the library.

Reproduction

To reproduce this vulnerability, establish an HTTP/2 connection to the server. Send a HEADERS frame with the END_STREAM flag on a new stream, followed by a WINDOW_UPDATE frame for that stream with a flow-control window of 0. The server will respond by sending a RST_STREAM frame for the stream, effectively resetting it and decreasing the active streams counter. This process can be repeated rapidly, leading to resource exhaustion.

Remediation

Users can upgrade to Netty versions 4.2.4.Final or 4.1.124.Final, where this vulnerability has been patched.