Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-4816

[Major Incident] CVE-2023-44487 undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [rhpam-7]

    XMLWordPrintable

Details

    • 2024 Week 7-9 (from Feb 12)

    Description

      Security Tracking Issue

      Do not make this issue public.

      Impact: Major Incident
      Reported Date: 09-Oct-2023
      Resolve Bug By: 17-Oct-2023

      In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then.

      Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

      Flaw:

      CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
      https://bugzilla.redhat.com/show_bug.cgi?id=2242803

      The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

      Attachments

        Issue Links

          is blocked by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-25457 (7.4.z) Upgrade Undertow from 2.2.26.SP1-redhat-00001 to 2.2.28.SP1

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is incorporated by

          Support Patch - A one-off patch related to a customer support case, provided by Support and not Engineering RHPAM-4821 [One-Off patch][Major Incident] CVE-2023-44487 HTTP/2 DDOS Vulnerability

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          links to

          Web Link RHSA-2023:122985 Updated Red Hat Process Automation Manager 7.13.4 SP2 Images

          Web Link RHSA-2023:123796 Updated IBM Business Automation Manager Open Editions 8.0.4 Images

          Web Link RHSA-2024:129123 Red Hat Process Automation Manager 7.13.4 SP2 security one-off update

          Activity

            People

              rguimara Roberto Oliveira
              ahanwate1@redhat.com Avinash Hanwate
              Dominik Hanak, Ivo Bek, Jan Rokos, Kris Verlaenen, Marek Novotny, Paramvir Jindal, Roberto Oliveira
              Samuel Kulíšek Samuel Kulíšek
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: