7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.732 High
EPSS
Percentile
98.1%
IBM Cloud Kubernetes Service is affected by a Kubernetes Ingress Controller security vulnerability that exploits HTTP/2 protocol by allowing a denial of service because request cancellation can reset many streams quickly (CVE-2023-44487).
CVE-2023-44487
Description:
The HTTP/2 protocol is vulnerable to a denial of service, caused by an uncontrolled server resource consumption flaw, because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. By sending specially crafted requests using HTTP/2 client, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/268645> for more information
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
IBM Cloud Kubernetes Service clusters with Kubernetes Ingress application load balancers (ALBs) with versions below 1.8.4_5586_iks
.
ALB version 1.8.4_5586_iks
contains fixes for this vulnerability and will be marked as the default version for ALBs. Automatic updates to Ingress ALBs are enabled by default, therefore ALBs are automatically updated by IBM when a new default image version is available.
To verify your IBM Cloud Kubernetes Service clusters with Kubernetes Ingress application load balancers (ALBs) are no longer exposed to this vulnerability, use the following IBM Cloud CLI command to list all Ingress ALB IDs in a cluster to confirm the version:
ibmcloud ks ingress alb ls
If the versions are at the following version or later, they are no longer exposed to this vulnerability:
If the version has not automatically updated then use the following IBM Cloud CLI command to check the configuration of autoupdates:
ibmcloud ks ingress alb autoupdate get
If automatic updates for the Ingress ALBs are disabled, you can force a one-time update of your ALBs with the following command:
ibmcloud ks ingress alb update --version 1.8.4_5586_iks
After you force a one-time update, automatic updates remain disabled. You can use the following IBM Cloud CLI command to re-enable the automatic updates by IBM when a new default image version is available:
ibmcloud ks ingress alb autoupdate enable
CPE | Name | Operator | Version |
---|---|---|---|
ibm cloud kubernetes service and red hat openshift on ibm cloud | eq | any |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.732 High
EPSS
Percentile
98.1%