csaf_redhat - rhsa-2023

rhsa-2023_6121

Vulnerability from csaf_redhat

Published

2023-10-25 15:56

Modified

2024-12-23 14:16

Summary

Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.8.1 security and bug fix update

Notes

Topic

The Migration Toolkit for Containers (MTC) 1.8.1 is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Security Fix(es): * golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325) A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "The Migration Toolkit for Containers (MTC) 1.8.1 is now available.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.\n\nSecurity Fix(es):\n\n* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset Attack) (CVE-2023-39325)\n\nA Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the References section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:6121",
        "url": "https://access.redhat.com/errata/RHSA-2023:6121"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
        "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
      },
      {
        "category": "external",
        "summary": "2243296",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6121.json"
      }
    ],
    "title": "Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.8.1 security and bug fix update",
    "tracking": {
      "current_release_date": "2024-12-23T14:16:09+00:00",
      "generator": {
        "date": "2024-12-23T14:16:09+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.4"
        }
      },
      "id": "RHSA-2023:6121",
      "initial_release_date": "2023-10-25T15:56:00+00:00",
      "revision_history": [
        {
          "date": "2023-10-25T15:56:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-10-25T15:56:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-12-23T14:16:09+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "8Base-RHMTC-1.8",
                "product": {
                  "name": "8Base-RHMTC-1.8",
                  "product_id": "8Base-RHMTC-1.8",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhmt:1.8::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Migration Toolkit"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403_amd64",
                  "product_id": "rhmtc/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-controller-rhel8\u0026tag=v1.8.1-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87_amd64",
                  "product_id": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-hook-runner-rhel8\u0026tag=v1.8.1-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325_amd64",
                  "product_id": "rhmtc/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-log-reader-rhel8\u0026tag=v1.8.1-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df_amd64",
                  "product_id": "rhmtc/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-must-gather-rhel8\u0026tag=v1.8.1-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0_amd64",
                  "product_id": "rhmtc/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-openvpn-rhel8\u0026tag=v1.8.1-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8_amd64",
                  "product_id": "rhmtc/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rhel8-operator\u0026tag=v1.8.1-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb_amd64",
                  "product_id": "rhmtc/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-operator-bundle\u0026tag=v1.8.1-7"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00_amd64",
                  "product_id": "rhmtc/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-registry-rhel8\u0026tag=v1.8.1-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f_amd64",
                  "product_id": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-rsync-transfer-rhel8\u0026tag=v1.8.1-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3_amd64",
                  "product_id": "rhmtc/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-ui-rhel8\u0026tag=v1.8.1-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78_amd64",
                "product": {
                  "name": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78_amd64",
                  "product_id": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78?arch=amd64\u0026repository_url=registry.redhat.io/rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8\u0026tag=v1.8.1-2"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78_amd64 as a component of 8Base-RHMTC-1.8",
          "product_id": "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78_amd64"
        },
        "product_reference": "rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78_amd64",
        "relates_to_product_reference": "8Base-RHMTC-1.8"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-39325",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-10-10T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2243296"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This CVE is related to CVE-2023-44487.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403_amd64"
        ],
        "known_not_affected": [
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3_amd64",
          "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "RHBZ#2243296",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-003",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39325",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/security/cve/CVE-2023-44487",
          "url": "https://access.redhat.com/security/cve/CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/63417",
          "url": "https://go.dev/issue/63417"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-2102",
          "url": "https://pkg.go.dev/vuln/GO-2023-2102"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
          "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
        }
      ],
      "release_date": "2023-10-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-10-25T15:56:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6121"
        },
        {
          "category": "workaround",
          "details": "The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
          "product_ids": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-controller-rhel8@sha256:6150f27bf1aeaf433d7e86f0c05f2c46e817a9258b80bb4dfe01bde5b334c403_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-hook-runner-rhel8@sha256:2a02b8eabd742ab9a5ec4977d3c3c64a83d57e92480da30d96359ad179f28a87_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-log-reader-rhel8@sha256:806d60311942650a89bb33e231084d9c0216a4bc9dfbb25f7b6c2729b3b59325_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-must-gather-rhel8@sha256:fa97c0ec47a3035972ca404268f74e4e649c632d3ba2c76aaca25c7a0261e3df_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-openvpn-rhel8@sha256:59095f4c3d4aa375b561f3101e1893a633e88193d824a353434e211d180875c0_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-operator-bundle@sha256:fb9482b83a1f76ba1310f662466913f4a493d01ff69a4b3466a8aaa8ba2897bb_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-registry-rhel8@sha256:a8c3bbb11b3d639c22853e63424d3eb65eefea87580631c99518ebeabe30ba00_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rhel8-operator@sha256:946e92fe2bdc50791dd8ebc6c1d00b5d65147d8e0f67e92df169edfadc999be8_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-rsync-transfer-rhel8@sha256:18f5774d6eb800a3fb9df52ca273609945f535985bede38a9d9e785d6349008f_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-ui-rhel8@sha256:902bb9b2efd6b7b529b36b197d7ac9f3f6a8b3b71503d66861411b77649c5cf3_amd64",
            "8Base-RHMTC-1.8:rhmtc/openshift-migration-velero-plugin-for-mtc-rhel8@sha256:a24897ee613d9578f4972b9c3f686299001653d76d3dac3ef22e534a4cff4e78_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)"
    }
  ]
}

cve-2023-39325

Vulnerability from cvelistv5

Published

2023-10-11 21:15

Modified

2024-08-02 18:02

Severity ?

Summary

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

References

▼	URL	Tags
	https://go.dev/issue/63417
	https://go.dev/cl/534215
	https://go.dev/cl/534235
	https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ
	https://pkg.go.dev/vuln/GO-2023-2102
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
	https://security.netapp.com/advisory/ntap-20231110-0008/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/
	https://security.gentoo.org/glsa/202311-09
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/
	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/

Impacted products

Vendor

Product

Version

▼

Go standard library

net/http

Version: 0 ≤
Version: 1.21.0-0 ≤

golang.org/x/net

golang.org/x/net/http2

Version: 0 ≤

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T18:02:06.746Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/issue/63417"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/534215"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://go.dev/cl/534235"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://pkg.go.dev/vuln/GO-2023-2102"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-09"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "net/http",
          "product": "net/http",
          "programRoutines": [
            {
              "name": "http2serverConn.serve"
            },
            {
              "name": "http2serverConn.processHeaders"
            },
            {
              "name": "http2serverConn.upgradeRequest"
            },
            {
              "name": "http2serverConn.runHandler"
            },
            {
              "name": "ListenAndServe"
            },
            {
              "name": "ListenAndServeTLS"
            },
            {
              "name": "Serve"
            },
            {
              "name": "ServeTLS"
            },
            {
              "name": "Server.ListenAndServe"
            },
            {
              "name": "Server.ListenAndServeTLS"
            },
            {
              "name": "Server.Serve"
            },
            {
              "name": "Server.ServeTLS"
            },
            {
              "name": "http2Server.ServeConn"
            }
          ],
          "vendor": "Go standard library",
          "versions": [
            {
              "lessThan": "1.20.10",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "1.21.3",
              "status": "affected",
              "version": "1.21.0-0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://pkg.go.dev",
          "defaultStatus": "unaffected",
          "packageName": "golang.org/x/net/http2",
          "product": "golang.org/x/net/http2",
          "programRoutines": [
            {
              "name": "serverConn.serve"
            },
            {
              "name": "serverConn.processHeaders"
            },
            {
              "name": "serverConn.upgradeRequest"
            },
            {
              "name": "serverConn.runHandler"
            },
            {
              "name": "Server.ServeConn"
            }
          ],
          "vendor": "golang.org/x/net",
          "versions": [
            {
              "lessThan": "0.17.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-11T21:15:02.727Z",
        "orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
        "shortName": "Go"
      },
      "references": [
        {
          "url": "https://go.dev/issue/63417"
        },
        {
          "url": "https://go.dev/cl/534215"
        },
        {
          "url": "https://go.dev/cl/534235"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2023-2102"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231110-0008/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXGWPQOJ3JNDW2XIYKIVJ7N7QUIFNM2Q/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZQIELEIRSZUYTFFH5KTH2YJ4IIQG2KE/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QF5QSYAOPDOWLY6DUHID56Q4HQFYB45I/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XTNLSL44Y5FB6JWADSZH6DCV4JJAAEQY/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ECRC75BQJP6FJN2L7KCKYZW4DSBD7QSD/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BUK2ZIAGCULOOYDNH25JPU6JBES5NF2/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRKEXKANQ7BKJW2YTAMP625LJUJZLJ4P/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2BBIDR2ZMB3X5BC7SR4SLQMHRMVPY6L/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T7N5GV4CHH6WAGX3GFMDD3COEOVCZ4RI/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/REMHVVIBDNKSRKNOTV7EQSB7CYQWOUOU/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UTT7DG3QOF5ZNJLUGHDNLRUIN6OWZARP/"
        },
        {
          "url": "https://security.gentoo.org/glsa/202311-09"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZN67IL7HMGMNAVLOTIXLIHUDXZK4LH/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NG7IMPL55MVWU3LCI4JQJT3K2U5CHDV7/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSY7SXFFTPZFWDM6XELSDSHZLVW3AHK7/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WCNCBYKZXLDFGAJUB7ZP5VLC3YTHJNVH/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVZDNSMVDAQJ64LJC5I5U5LDM5753647/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZSVEMQV5ROY5YW5QE3I57HT3ITWG5GCV/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CHHITS4PUOZAKFIUBQAQZC7JWXMOYE4B/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3OVW5V2DM5K5IC3H7O42YDUGNJ74J35O/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KEOTKBUPZXHE3F352JBYNTSNRXYLWD6P/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MZQYOOKHQDQ57LV2IAG6NRFOVXKHJJ3Z/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5RSKA2II6QTD4YUKUNDVJQSRYSFC4VFR/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FTMJ3NJIDAZFWJQQSP3L22MUFJ3UP2PT/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPWCNYB5PQ5PCVZ4NJT6G56ZYFZ5QBU6/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2LZSWTV4NV4SNQARNXG5T6LRHP26EW2/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PJCUNGIQDUMZ4Z6HWVYIMR66A35F5S74/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L5E5JSJBZLYXOTZWXHJKRVCIXIHVWKJ6/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YJWHBLVZDM5KQSDFRBFRKU5KSSOLIRQ4/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3WJ4QVX2AMUJ2F2S27POOAHRC4K3CHU4/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODBY7RVMGZCBSTWF2OZGIZS57FNFUL67/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXOU2JZUBEBP7GBKAYIJRPRBZSJCD7ST/"
        }
      ],
      "title": "HTTP/2 rapid reset can cause excessive work in net/http"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
    "assignerShortName": "Go",
    "cveId": "CVE-2023-39325",
    "datePublished": "2023-10-11T21:15:02.727Z",
    "dateReserved": "2023-07-27T17:05:55.188Z",
    "dateUpdated": "2024-08-02T18:02:06.746Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted