Uploaded image for project: 'Cert Manager support for Red Hat OpenShift'
  1. Cert Manager support for Red Hat OpenShift
  2. CM-448

CVE-2023-45288 - golang: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • cert-manager-1.14
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Found in cert-manager 1.14.1 (latest version)

      A result of out dated kube-rbac-proxy 4.15.35 which uses x/net v0.17.0

      latest images of ose-kube-rbac-proxy have:

      v4.13.0-202411300029.p0.gf35f954.assembly.stream.el8
2 days ago	amd64	RHSA-2024:10813	

v4.15.0-202412041605.p0.g9308e7f.assembly.stream.el8
2 days ago	amd64	RHSA-2024:10839	

v4.12.0-202411181727.p0.gc69fae7.assembly.stream.el8
9 days ago	amd64	RHBA-2024:10533	

v4.14.0-202411261536.p0.gb8b8259.assembly.stream.el8
9 days ago	amd64	RHSA-2024:10523

      Note: per engineering - https://redhat-internal.slack.com/archives/C04JVEQ8C79/p1734333336693699?thread_ts=1727383532.715009&cid=C04JVEQ8C79

      cert-manager is not exposed to this CVE, but we should still fix it in both 1.15 release as well as a 1.14 z-stream release.

       

              Unassigned Unassigned
              rh-ee-npng Nick Png
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: