ID

VAR-202310-0175

CVE

CVE-2023-44487

TITLE

Red Hat Security Advisory 2023-6286-01

DESCRIPTION

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Description: Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Find out more about Data Grid 7.3.11 in the Release Notes [3]. It releases an updated versions of the Kernel Module Management bringing it to v1.1.2 As part of this it updates the following container images that constitute the Kernel Module Management Operator: kernel-module-management-signing kernel-module-management-operator kernel-module-management-worker kernel-module-management-hub-operator kernel-module-management-must-gather kernel-module-management-hub-operator-bundle kernel-module-management-operator-bundle Description: kernel module management is Red Hat's operator designed to load and manage out-of-tree kernel modules and device plugins for Red Hat OpenShift Container Platform. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5540-1 security@debian.org https://www.debian.org/security/ Markus Koschany October 30, 2023 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : jetty9 CVE ID : CVE-2023-36478 CVE-2023-44487 Two remotely exploitable security vulnerabilities were discovered in Jetty 9, a Java based web server and servlet engine. The HTTP/2 protocol implementation did not sufficiently verify if HPACK header values exceed their size limit. This problem is also known as Rapid Reset Attack. For the oldstable distribution (bullseye), these problems have been fixed in version 9.4.50-4+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 9.4.50-4+deb12u2. We recommend that you upgrade your jetty9 packages. For the detailed security status of jetty9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jetty9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmVABttfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTJ2g/9E8TKXU1Mko9WhumkvRQNsYxAM43L/gmYMRm4JEqhqpjHHZECJIOAVyxs uN0uE13T+JckplIAhfdsZgbmDDNjASyFWv9OfOdf2h4Y9ZhoXP22MXI2MjKb9MSH KfmPtX4S95UyF/Ty0kK17W63p4EvtNlcgRokx5yFpUF/rN72GXVx25W6WQ1pSHrJ ESJMqOr8d3Wn5/4yaPEunQrvPa4WkQSTv8nHAIxIenP3wiNuK2tZWN6GCAdbirQp MWt282W/ueGcRDq8UJB2tWkxqx8CNnqeIeh0LpaSZRbaf62DChtyj+5OnYyhwBTk 1mhwuveCFtNzRQyHRBrOrVWRAG43ktSyEYG90Il9iDchQROi0sJkQFVB0TXG6FnC hIFBcPw9VW5+7I+4gxexhpguq/SXZV9V9QH+jSeEBOgdKY/qX0farjElmhgFLRuS /weJAqnc9C6w4BB7gnE9ow4nbGqKqMEj1yoO8itMhCWBCaEIia0INpao7pfpf/9r KekLFoi6Gux0gqVMhhBw3latxW9zth93tNEeuuGb+kP/TDreBVkZnqrYVbtj49Wv IMX77Q8OB/TDQ8K5cEq05wcq59TIkAaVKGrP3sXsjbt4umbkjhbp8Oxv+chMOgPQ E8ThC0Q+lbZ4nth0vw2R93ObMfzlxZN2YJUqKf3aw/yAKd8YIys=CO/+ -----END PGP SIGNATURE----- . Description: Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. Description: nghttp2 contains the Hypertext Transfer Protocol version 2 (HTTP/2) client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.5 serves as a replacement for Red Hat JBoss Web Server 5.7.4. Security Fix(es): * tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) A Red Hat Security Bulletin which addresses further details about this flaw is available in the References section. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Description: The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. The following advisory data is extracted from: https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4631.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Dev Spaces 3.15.0 release Advisory ID: RHSA-2024:4631-03 Product: Red Hat OpenShift Dev Spaces Advisory URL: https://access.redhat.com/errata/RHSA-2024:4631 Issue date: 2024-07-18 Revision: 03 CVE Names: CVE-2022-3064 ==================================================================== Summary: Red Hat OpenShift Dev Spaces 3.15 has been released. All containers have been updated to include feature enhancements, bug fixes and CVE fixes. Following the Red Hat Product Security standards this update is rated as having a security impact of Important. The Common Vulnerability Scoring System (CVSS) base score is available for every fixed CVE in the references section. Description: Red Hat OpenShift Dev Spaces provides a cloud developer workspace server and a browser-based IDE built for teams and organizations. Dev Spaces runs in OpenShift and is well-suited for container-based development. The 3.15 release is based on Eclipse Che 7.88 and uses the DevWorkspace engine to provide support for workspaces based on devfile v2.1 and v2.2. Users still using the v1 standard should migrate as soon as possible. https://devfile.io/docs/2.2.0/migrating-to-devfile-v2 Dev Spaces releases support the latest two OpenShift 4 EUS releases. Users are expected to update to newer OpenShift releases in order to continue to get Dev Spaces updates. https://access.redhat.com/support/policy/updates/openshift#crw Solution: https://access.redhat.com/articles/11258 CVEs: CVE-2022-3064 References: https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.15/html/administration_guide/installing-devspaces https://access.redhat.com/security/cve/CVE-2022-3064 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-28948 https://access.redhat.com/security/cve/CVE-2022-46175 https://access.redhat.com/security/cve/CVE-2023-6378 https://access.redhat.com/security/cve/CVE-2023-39325 https://access.redhat.com/security/cve/CVE-2023-41080 https://access.redhat.com/security/cve/CVE-2023-44487 https://access.redhat.com/security/cve/CVE-2023-45288 https://access.redhat.com/security/cve/CVE-2023-45648 https://issues.redhat.com/browse/CRW-6593

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

EXTERNAL IDS

REFERENCES