OpenBao Secrets Operator HTTP/2 CONTINUATION Flood Vulnerability (GO-2024-2687) - Reachable in Main Branch

A reachable vulnerability has been identified in the openbao/openbao-secrets-operator repository on the main branch. The vulnerability is tracked as GO-2024-2687 and is fixed in version v0.23.0. The issue is an HTTP/2 CONTINUATION flood in the net/http package. An attacker can cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. The problem stems from the requirement to parse and process all HEADERS and CONTINUATION frames on a connection to maintain HPACK state. When a request's headers exceed MaxHeaderBytes, no memory is allocated for the excess, but they are still parsed. This allows an attacker to force an endpoint to read large volumes of header data associated with a request that will be rejected. The headers can include Huffman-encoded data, which is significantly more expensive for the receiver to decode than for the attacker to send. The fix implements a limit on the amount of excess header frames processed before closing a connection. The affected code locations include controllers/vaultauth_controller.go:114 (Reconcile function), internal/vault/client.go:463 (Login), internal/vault/client.go:515 (Write), internal/vault/config.go:77 (MakeVaultClient), internal/vault/credentials/aws.go:151 (GetCreds), and main.go:125 (main).