CVE-2021-43848

Name of the Vulnerable Software and Affected Versions h2o versions between commit 93af138 and d1f0f65

Description h2o is an open source HTTP server. In code prior to the 8c0eca3 commit, h2o may attempt to access uninitialized memory. When receiving QUIC frames in a certain order, the HTTP/3 server-side implementation of h2o can be misguided to treat uninitialized memory as HTTP/3 frames that have been received. When h2o is used as a reverse proxy, an attacker can abuse this issue to send the internal state of h2o to backend servers controlled by the attacker or a third party. Also, if there is an HTTP endpoint that reflects the traffic sent from the client, an attacker can use that reflector to obtain the internal state of h2o. This internal state includes traffic of other connections in unencrypted form and TLS session tickets.

Recommendations As a temporary workaround, consider disabling HTTP/3 support until a patch is available. Restrict access to the reverse proxy functionality to minimize the risk of exploitation. Avoid using HTTP endpoints that reflect traffic sent from the client until the issue is resolved. Users of unreleased versions of h2o using HTTP/3 are advised to upgrade immediately. At the moment, there is no information about a newer version that contains a fix for this vulnerability.