CVE-2023-41337

Name of the Vulnerable Software and Affected Versions h2o versions 2.3.0-beta2 and prior

Description The issue involves a malicious backend entity misdirecting HTTPS requests to other backends and observing the contents of the request. This occurs when h2o is configured to listen to multiple addresses or ports with different backend servers managed by multiple entities. The attack involves a victim client trying to resume a TLS connection, and an attacker redirecting the packets to a different address or port. Session IDs and tickets generated by h2o are not bound to specific server addresses, ports, or X.509 certificates, allowing an attacker to force a victim connection to wrongfully resume against a different server address or port.

Recommendations For h2o versions 2.3.0-beta2 and prior, apply the patch available at commit 35760540337a47e5150da0f4a66a609fad2ef0ab to resolve the issue. As a temporary workaround, stop using host-level listen directives in favor of global-level ones to minimize the risk of exploitation.