Lucene search

IBM88ACC7854B8441755CE79C6E3CE119443D9F10DE9535C0C1F805CD2658228C2B

HistoryOct 26, 2023 - 5:35 p.m.

Security Bulletin: IBM DataPower Gateway vulnerable to HTTP/2 "Rapid Reset" Denial of Service (CVE-2023-44487, CVE-2023-39325)

2023-10-2617:35:42

www.ibm.com

ibm datapower gateway

vulnerable

http/2

rapid reset

denial of service

multiple versions

fixed

versions

10.0.1.16

10.5.0.8

1.6.11

1.8.1

protection

disabling protocol

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.72 High

EPSS

Percentile

98.0%

JSON

Summary

IBM has addressed both CVEs.

Vulnerability Details

CVEID:CVE-2023-39325
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the net/http and x/net/http2 packages. By sending specially crafted requests using HTTP/2 client, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268645 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
DataPower Operator	1.8.0
DataPower Operator	1.6.0
DataPower Operator	1.7.0
IBM DataPower Gateway 10.5 CD	10.5.CD
IBM DataPower Gateway 10.0.1	10.0.1.0 - 10.0.1.15
IBM DataPower Gateway 10.5.0	10.5.0.0 - 10.5.0.7

Remediation/Fixes

Affected Product	Fixed in version	APAR
IBM DataPower Gateway 10.0.1	10.0.1.16	IT44748
IBM DataPower Gateway 10.5.0	10.5.0.8	IT44748
DataPower Operator 1.6	1.6.11	IT44748
DataPower Operator 1.7	1.8.1	IT44748
DataPower Operator 1.8	1.8.1	IT44748

The fix will also appear in the next CD release (DP 10.5 CD)

Workarounds and Mitigations

A MPGW can be protected from this attack by disabling the HTTP/2 protocol until the fix is applied.

CPENameOperatorVersion
ibm datapower gatewayeq10.5.0
ibm datapower gatewayeq10.0.1
ibm datapower gatewayeq10.5

Name	Operator	Version
ibm datapower gateway	eq	10.5.0
ibm datapower gateway	eq	10.0.1
ibm datapower gateway	eq	10.5

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.72 High

EPSS

Percentile

98.0%

JSON

Related for 88ACC7854B8441755CE79C6E3CE119443D9F10DE9535C0C1F805CD2658228C2B