Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: 4.15.0
Component/s: Networking / ingress-node-firewall
Labels:

Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.15.0

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

Security Tracking IssueDo not make this issue public.Flaw:CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)
https://bugzilla.redhat.com/show_bug.cgi?id=2243296A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded to the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.This CVE is specific to golang, but is also tracked as CVE-2023-44487.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1.
2.
3.

Actual results:

Expected results:

Additional info:

links to

openshift/ingress-node-firewall#410: OCPBUGS-21646: fix bump net/http2 to fix CVE-2023-44487

openshift/ingress-node-firewall#415: OCPBUGS-21646: Modify controller-runtime to disable HTTP/2 for metrics and webhooks

RHEA-2023:7197 rpm

Assignee:: Mohamed Mahmoud

Reporter:: Mohamed Mahmoud

QA Contact:: Anurag Saxena

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2023/10/16 11:13 AM

Updated:: 2024/02/27 8:55 AM

Resolved:: 2024/02/27 8:54 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates