Debian dla-3656 : libnetty-java - security update

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3656 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3656-1 [email protected] https://www.debian.org/lts/security/...

Debian DSA-5558-1 : netty - security update

The remote Debian 11 / 12 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5558 advisory. - Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The...

Oracle Linux 9 : nghttp2 (ELSA-2023-6746)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-6746 advisory. 1.43.0-5.1 - fix HTTP/2 Rapid Reset CVE-2023-44487 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note...

Security Bulletin: IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to denial of service due to HTTP/2 Rapid Reset vulnerability (CVE-2023-44487)

Summary IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service with the servlet-3.1, servlet-4.0, servlet-5.0, or servlet-6.0 feature with the HTTP/2 protocol enabled. Vulnerability Details Refer to the security bulletins...

Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-44487)

Summary IBM WebSphere Application Server Liberty is vulnerable to a denial of service with the servlet-3.1, servlet-4.0, servlet-5.0, or servlet-6.0 feature with the HTTP/2 protocol enabled. Vulnerability Details CVEID: CVE-2023-44487 DESCRIPTION: Multiple vendors are vulnerable to a denial of...

Security Bulletin: IBM Integration Bus is vulnerable to multiple CVEs due to Apache Tomcat.

Summary Due to Apache Tomcat, IBM Integration Bus is vulnerable to multiple CVEs. CVE-2023-45648, CVE-2023-42794, CVE-2023-44487, CVE-2023-42795. Vulnerability Details CVEID: CVE-2023-45648 DESCRIPTION: Apache Tomcat is vulnerable to HTTP request smuggling, caused by improper parsing of HTTP...

RHEL 8 : nodejs:20 (RHSA-2023:7205)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7205 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

varnish -- HTTP/2 Rapid Reset Attack

Varnish Cache Project reports: A denial of service attack can be performed on Varnish Cache servers that have the HTTP/2 protocol turned on. An attacker can create a large volume of streams and immediately reset them without ever reaching the maximum number of concurrent streams allowed for the...

DoS (Denial of Service) io.netty:netty-codec-http2 in Jira Software Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 9.8.0, 9.9.0, 9.10.0, and 9.11.0 of Jira Software Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H allows...

Rocky Linux 9 : toolbox (RLSA-2023:6077)

The remote Rocky Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:6077 advisory. - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total...

DoS (Denial of Service) org.apache.tomcat:tomcat-coyote in Bamboo Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1 and 9.3.0 of Bamboo Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H...

HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RSTSTREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any...

Fedora 39 : nghttp2 (2023-3f70b8d406)

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-3f70b8d406 advisory. - fix HTTP/2 Rapid Reset CVE-2023-44487 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that...

Fedora 39 : cachelib / fb303 / fbthrift / fizz / folly / mcrouter / mvfst / etc (2023-7934802344)

The remote Fedora 39 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2023-7934802344 advisory. Update Folly stack to the latest 2023.10.16.00 tag proxygen: Security fix for CVE-2023-44487 Tenable has extracted the preceding description block directly...

Debian DSA-5549-1 : trafficserver - security update

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5549 advisory. Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service or information...

Amazon Linux 2023 : ecs-service-connect-agent (ALAS2023-2023-420)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-420 advisory. An issue was found in libcurl which allows cookies to be inserted into a running program if specific conditions are met. The libcurl provided function, curleasyduphandle, is used to duplicate t...

Important: cri-tools

Issue Overview: The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-39325 Affected Packages: cri-tools Note: This advisory is applicable to Amazon...

SUSE SLES15 / openSUSE 15 Security Update : nodejs10 (SUSE-SU-2023:4295-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:4295-1 advisory. - The HTTP/2 protocol allows a denial of service server resource consumption because request cancellation can reset many strea...

Debian dla-3638 : h2o - security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3638 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3638-1 [email protected] https://www.debian.org/lts/security/...

Debian: Security Advisory (DLA-3641-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...