ID

VAR-202310-0175

CVE

CVE-2023-44487

TITLE

Red Hat Security Advisory 2023-6239-01

DESCRIPTION

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. The following data is constructed from data provided by Red Hat's json file at: https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6048.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Important: ACS 4.2 enhancement and security update Advisory ID: RHSA-2023:6048-01 Product: Red Hat Advanced Cluster Security for Kubernetes Advisory URL: https://access.redhat.com/errata/RHSA-2023:6048 Issue date: 2023-10-23 Revision: 01 CVE Names: CVE-2023-39325 ==================================================================== Summary: Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes new features and bug fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: This release of RHACS 4.2.2 includes fixes for the following security vulnerabilities: Security Fix(es): * golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325) * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. It contains the following bug fixes and changes: * Previously, Red Hat OpenShift Container Platform customers using the downloaded manifest bundle with automatic upgrades enabled found that Sensor did not automatically upgrade, and failed with a `PRE_FLIGHT_CHECKS_FAILED` error. This issue has been fixed. (ROX-19955) * RHACS 4.2.2 includes a new default policy called \"Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol\". This policy alerts on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers, based on CVE-2023-44487 and CVE-2023-39325. This policy applies to the build or deploy life cycle stage. Solution: CVEs: CVE-2023-39325 References: https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_security_for_kubernetes/4.2/html/release_notes/release-notes-42 https://access.redhat.com/security/cve/CVE-2023-39325 https://access.redhat.com/security/cve/CVE-2023-44487 https://access.redhat.com/security/vulnerabilities/RHSB-2023-003 . Description: Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up. ========================================================================== Ubuntu Security Notice USN-6438-1 October 19, 2023 dotnet6, dotnet7 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 Summary: Several security issues were fixed in dotnet6, dotnet7. Software Description: - dotnet6: dotNET CLI tools and runtime - dotnet7: dotNET CLI tools and runtime Details: Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-36799) It was discovered that the .NET Kestrel web server did not properly handle HTTP/2 requests. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2023-44487) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: aspnetcore-runtime-6.0 6.0.123-0ubuntu1 aspnetcore-runtime-7.0 7.0.112-0ubuntu1 dotnet-host 6.0.123-0ubuntu1 dotnet-host-7.0 7.0.112-0ubuntu1 dotnet-hostfxr-6.0 6.0.123-0ubuntu1 dotnet-hostfxr-7.0 7.0.112-0ubuntu1 dotnet-runtime-6.0 6.0.123-0ubuntu1 dotnet-runtime-7.0 7.0.112-0ubuntu1 dotnet-sdk-6.0 6.0.123-0ubuntu1 dotnet-sdk-7.0 7.0.112-0ubuntu1 dotnet6 6.0.123-0ubuntu1 dotnet7 7.0.112-0ubuntu1 In general, a standard system update will make all the necessary changes. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. Description: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Find out more about Data Grid 8.4.5 in the Release Notes[3]. Description: .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Description: nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202408-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: nghttp2: Multiple Vulnerabilities Date: August 07, 2024 Bugs: #915554, #928541 ID: 202408-10 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in nghttp2, the worst of which could lead to a denial of service. Background ========== Nghttp2 is an implementation of HTTP/2 and its header compression algorithm HPACK in C. Affected packages ================= Package Vulnerable Unaffected ---------------- ------------ ------------ net-libs/nghttp2 < 1.61.0 >= 1.61.0 Description =========== Multiple vulnerabilities have been discovered in nghttp2. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All nghttp2 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-libs/nghttp2-1.61.0" References ========== [ 1 ] CVE-2023-44487 https://nvd.nist.gov/vuln/detail/CVE-2023-44487 [ 2 ] CVE-2024-28182 https://nvd.nist.gov/vuln/detail/CVE-2024-28182 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202408-10 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

EXTERNAL IDS

REFERENCES