Skip to content

CVE-2023-44487

High
lahabana published GHSA-9wmc-rg4h-28wv Oct 12, 2023

Package

kuma-cp,kuma-dp (binary)

Affected versions

2.4.2,2.3.2,2.2.3,2.1.7,2.0.7,v0.0.0-20231011150717-31fdd6e0f4c5

Patched versions

2.4.3,2.3.3,2.2.4,2.1.8,2.0.8,v0.0.0-20231011191432-9cb2b1238a41

Description

Impact

Envoy and Go HTTP/2 protocol stack is vulnerable to the "Rapid Reset" class of exploits, which send a sequence of HEADERS frames optionally followed by RST_STREAM frames.

This can be exercised if you use the builtin gateway and receive untrusted http2 traffic.

Patches

#8023
#8001
#8034

Workarounds

Disable http2 on the gateway listener with a MeshProxyPatch or ProxyTemplate.

References

GHSA-qppj-fm5r-hxr3
golang/go#63417
GHSA-jhv4-f7mr-xx76
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/?sf269548684=1
https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-44487

Weaknesses

No CWEs