Login Sign Up

CVE-2023-30847

8.2 HIGH
Denial of Service

📋 TL;DR

CVE-2023-30847 is a memory corruption vulnerability in H2O HTTP server's reverse proxy handler that occurs when processing certain invalid HTTP requests. This can cause crashes or information disclosure to backend servers. Affected users are those running H2O versions 2.3.0-beta2 and earlier with reverse proxy functionality enabled.

💻 Affected Systems

Products:
  • H2O HTTP Server
Versions: 2.3.0-beta2 and prior versions
Operating Systems: All platforms running H2O
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects configurations using reverse proxy functionality. The vulnerability triggers when processing specific invalid HTTP requests.

📦 What is this software?

H2o by Dena

View all CVEs affecting H2o →

H2o by Dena

View all CVEs affecting H2o →

H2o by Dena

View all CVEs affecting H2o →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, though this is less likely than information disclosure or denial of service.

🟠

Likely Case

Server crashes causing denial of service, or memory content leakage to backend servers potentially exposing sensitive data.

🟢

If Mitigated

Limited impact with proper network segmentation and reverse proxy isolation, though crashes could still affect availability.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific invalid HTTP requests that trigger the uninitialized pointer condition. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit f010336 or later from master branch

Vendor Advisory: https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx

Restart Required: Yes

Instructions:

1. Update H2O to commit f010336 or later from the master branch. 2. Rebuild from source if using source installation. 3. Restart the H2O service. 4. Verify the fix by checking the commit hash matches f010336 or later.

🔧 Temporary Workarounds

Disable Reverse Proxy

all

Temporarily disable reverse proxy functionality if not required

Modify H2O configuration to remove reverse proxy directives

Request Filtering

all

Implement WAF or load balancer to filter malformed HTTP requests

🧯 If You Can't Patch

  • Implement network segmentation to isolate H2O servers from sensitive backend systems
  • Deploy Web Application Firewall (WAF) with rules to detect and block malformed HTTP requests

🔍 How to Verify

Check if Vulnerable:

Check H2O version: if running version 2.3.0-beta2 or earlier, and reverse proxy is enabled, the system is vulnerable.

Check Version:

Check H2O configuration files for version information or examine build/installation logs

Verify Fix Applied:

Verify the installed commit hash is f010336 or later: check build logs or run 'h2o --version' if available.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected server crashes
  • Error messages related to reverse proxy URL building
  • Memory access violation logs

Network Indicators:

  • Malformed HTTP requests to reverse proxy endpoints
  • Unusual traffic patterns to backend servers

SIEM Query:

source="h2o" AND (error OR crash OR "uninitialized" OR "reverse proxy")

📊 Metadata

CVE ID: CVE-2023-30847
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CWE: CWE-824
Published: April 27, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-30847, you might also want to check these:

CVE-2020-11138 9.8

This vulnerability allows attackers to exploit uninitialized pointers during music playback in Qualc...

Same vulnerability type (CWE-824)
CVE-2020-25573 9.8

CVE-2020-25573 is a memory safety vulnerability in the linked-hash-map Rust crate where uninitialize...

Same vulnerability type (CWE-824)
CVE-2022-44451 9.8

This vulnerability allows arbitrary code execution through a use of uninitialized pointer in Open Ba...

Same vulnerability type (CWE-824)