Important: runc

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 Affected Packages: runc Note: This advisory is applicable to Amazon Linux...

Important: docker

Issue Overview: http2/hpack: avoid quadratic complexity in hpack decoding CVE-2022-41723 Templates did not properly consider backticks as Javascript string delimiters, and as such did not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contained a G...

RHEL 9 : grafana (RHSA-2023:5866)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:5866 advisory. Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fixes: HTTP/2: Multip...

Moderate: Red Hat Security Advisory: grafana security update

An update for grafana is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for...

Important: Red Hat Security Advisory: OpenShift Container Platform 4.13.17 bug fix and security update

Red Hat OpenShift Container Platform release 4.13.17 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a...

GHSA-9WMC-RG4H-28WV github.com/kumahq/kuma affected by CVE-2023-44487

Impact Envoy and Go HTTP/2 protocol stack is vulnerable to the "Rapid Reset" class of exploits, which send a sequence of HEADERS frames optionally followed by RSTSTREAM frames. This can be exercised if you use the builtin gateway and receive untrusted http2 traffic. Patches...

[SECURITY] [DLA 3617-2] tomcat9 regression update

Debian LTS Advisory DLA-3617-2 [email protected] https://www.debian.org/lts/security/ Markus Koschany October 17, 2023 https://wiki.debian.org/LTS Package : tomcat9 Version : 9.0.31-1deb10u10 CVE ID : CVE-2023-44487 A regression was discovered in the Http2UpgradeHandler class of Tomcat ...

[SECURITY] [DSA 5522-3] tomcat9 regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-5522-3 [email protected] https://www.debian.org/security/ Markus Koschany October 16, 2023 https://www.debian.org/security/faq -...

Important: Red Hat Security Advisory: Red Hat Data Grid 8.4.5 security update

An update for Red Hat Data Grid 8 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the...

Important: Red Hat Security Advisory: go-toolset:rhel8 security update

An update for the go-toolset:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

ALSA-2023:5721 Important: go-toolset:rhel8 security update

Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fixes: golang: net/http, x/net/http2: rapid stream resets can cause excessive work CVE-2023-44487 CVE-2023-39325 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS...

RHEL 7 : go-toolset-1.19 and go-toolset-1.19-golang (RHSA-2023:5719)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:5719 advisory. Go Toolset provides the Go programming language tools and libraries. Go is alternatively known as golang. Security Fixes: golang: net/http,...

FreeBSD : traefik -- Resource exhaustion by malicious HTTP/2 client (7a1b2624-6a89-11ee-af06-5404a68ad561)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 7a1b2624-6a89-11ee-af06-5404a68ad561 advisory. - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cau...

Denial Of Service (DoS)

Golang.org/x/net is vulnerable to Denial of Service DoS. This vulnerability exists due to a flaw which allows a user to send a request, and quickly cancel it. The http2.Server.MaxConcurrentStreams limits the amount of allowed inflight requests, but does not handle the situation of resetting the...

AZL-34996 CVE-2023-39325 affecting package moby-containerd-cc for versions less than 1.7.1-5

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

AZL-35121 CVE-2023-39325 affecting package prometheus-adapter for versions less than 0.12.0-1

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

AZL-50339 CVE-2023-39325 affecting package prometheus for versions less than 2.37.9-2

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

AZL-35302 CVE-2023-39325 affecting package telegraf for versions less than 1.27.3-3

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

AZL-34622 CVE-2023-39325 affecting package containerized-data-importer for versions less than 1.57.0-8

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...

CVE-2023-39325

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a ne...