RHBA-2023%3A6863
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | lvms4/lvms-must-gather-rhel9@sha256:e21c0af48138064f6904e2fb459b76239c9f3e1dffddac5dfc55e0f38eea5559_amd64 as a component of LVMS 4.14 for RHEL 9 | lvms4/lvms-must-gather-rhel9@sha256:e21c0af48138064f6904e2fb459b76239c9f3e1dffddac5dfc55e0f38eea5559_amd64, lvms4/lvms-must-gather-rhel9@sha256:e21c0af48138064f6904e2fb459b76239c9f3e1dffddac5dfc55e0f38eea5559_amd64, lvms4/lvms-must-gather-rhel9@sha256:e21c0af48138064f6904e2fb459b76239c9f3e1dffddac5dfc55e0f38eea5559_amd64 |
| Red Hat | lvms4/lvms-must-gather-rhel9@sha256:bfaee17835e1411c3e916e992a510641d2ddaaa2a4a85243b6f27fec541eae3a_ppc64le as a component of LVMS 4.14 for RHEL 9 | lvms4/lvms-must-gather-rhel9@sha256:bfaee17835e1411c3e916e992a510641d2ddaaa2a4a85243b6f27fec541eae3a_ppc64le, lvms4/lvms-must-gather-rhel9@sha256:bfaee17835e1411c3e916e992a510641d2ddaaa2a4a85243b6f27fec541eae3a_ppc64le, lvms4/lvms-must-gather-rhel9@sha256:bfaee17835e1411c3e916e992a510641d2ddaaa2a4a85243b6f27fec541eae3a_ppc64le |
| Red Hat | lvms4/lvms-rhel9-operator@sha256:9c47279574868a772f7d14d9de8da670df5101287a5486347b9bd00586e78c17_ppc64le as a component of LVMS 4.14 for RHEL 9 | lvms4/lvms-rhel9-operator@sha256:9c47279574868a772f7d14d9de8da670df5101287a5486347b9bd00586e78c17_ppc64le, *, lvms4/lvms-rhel9-operator@sha256:9c47279574868a772f7d14d9de8da670df5101287a5486347b9bd00586e78c17_ppc64le |
| golang | net/http | |
| Red Hat | lvms4/lvms-operator-bundle@sha256:b67d52a00937fb779cc98c18c1d8d21797363b19b6f4da04c1df0508698ac7cd_amd64 as a component of LVMS 4.14 for RHEL 9 | *, lvms4/lvms-operator-bundle@sha256:b67d52a00937fb779cc98c18c1d8d21797363b19b6f4da04c1df0508698ac7cd_amd64, lvms4/lvms-operator-bundle@sha256:b67d52a00937fb779cc98c18c1d8d21797363b19b6f4da04c1df0508698ac7cd_amd64 |
| Red Hat | lvms4/lvms-operator-bundle@sha256:b67d52a00937fb779cc98c18c1d8d21797363b19b6f4da04c1df0508698ac7cd_amd64 as a component of LVMS 4.14 for RHEL 9 | *, lvms4/lvms-operator-bundle@sha256:b67d52a00937fb779cc98c18c1d8d21797363b19b6f4da04c1df0508698ac7cd_amd64, lvms4/lvms-operator-bundle@sha256:b67d52a00937fb779cc98c18c1d8d21797363b19b6f4da04c1df0508698ac7cd_amd64 |
| Red Hat | lvms4/topolvm-rhel9@sha256:e97314d049510baa9d1021ac848f0826be1310cc870e6bd57aa3ef41cf8a0cc4_amd64 as a component of LVMS 4.14 for RHEL 9 | lvms4/topolvm-rhel9@sha256:e97314d049510baa9d1021ac848f0826be1310cc870e6bd57aa3ef41cf8a0cc4_amd64, lvms4/topolvm-rhel9@sha256:e97314d049510baa9d1021ac848f0826be1310cc870e6bd57aa3ef41cf8a0cc4_amd64, * |
| Red Hat | lvms4/topolvm-rhel9@sha256:cd9546b5a46c6e36327a972f26938d8cdc734649d61ed02648eed33dd29d9633_s390x as a component of LVMS 4.14 for RHEL 9 | lvms4/topolvm-rhel9@sha256:cd9546b5a46c6e36327a972f26938d8cdc734649d61ed02648eed33dd29d9633_s390x, lvms4/topolvm-rhel9@sha256:cd9546b5a46c6e36327a972f26938d8cdc734649d61ed02648eed33dd29d9633_s390x, lvms4/topolvm-rhel9@sha256:cd9546b5a46c6e36327a972f26938d8cdc734649d61ed02648eed33dd29d9633_s390x |
| Red Hat | lvms4/topolvm-rhel9@sha256:edb27e93b14212d79c959a1a325310d31496f53fac846049393f25ea18ec1349_ppc64le as a component of LVMS 4.14 for RHEL 9 | lvms4/topolvm-rhel9@sha256:edb27e93b14212d79c959a1a325310d31496f53fac846049393f25ea18ec1349_ppc64le, lvms4/topolvm-rhel9@sha256:edb27e93b14212d79c959a1a325310d31496f53fac846049393f25ea18ec1349_ppc64le, lvms4/topolvm-rhel9@sha256:edb27e93b14212d79c959a1a325310d31496f53fac846049393f25ea18ec1349_ppc64le |
| Red Hat | lvms4/topolvm-rhel9@sha256:e97314d049510baa9d1021ac848f0826be1310cc870e6bd57aa3ef41cf8a0cc4_amd64 as a component of LVMS 4.14 for RHEL 9 | lvms4/topolvm-rhel9@sha256:e97314d049510baa9d1021ac848f0826be1310cc870e6bd57aa3ef41cf8a0cc4_amd64, *, * |
| Red Hat | lvms4/topolvm-rhel9@sha256:0897e589f2dd003f58e09ce1fef3288cc3f682a24096f0991b3dfdd217ff5c34_arm64 as a component of LVMS 4.14 for RHEL 9 | *, *, * |
| Red Hat | lvms4/lvms-must-gather-rhel9@sha256:3abc7f735860ae910e9fcd5d1e419af66911ebd6a502ad85c2e2753536749cdb_s390x as a component of LVMS 4.14 for RHEL 9 | *, *, lvms4/lvms-must-gather-rhel9@sha256:3abc7f735860ae910e9fcd5d1e419af66911ebd6a502ad85c2e2753536749cdb_s390x |
| Red Hat | lvms4/topolvm-rhel9@sha256:cd9546b5a46c6e36327a972f26938d8cdc734649d61ed02648eed33dd29d9633_s390x as a component of LVMS 4.14 for RHEL 9 | lvms4/topolvm-rhel9@sha256:cd9546b5a46c6e36327a972f26938d8cdc734649d61ed02648eed33dd29d9633_s390x, *, lvms4/topolvm-rhel9@sha256:cd9546b5a46c6e36327a972f26938d8cdc734649d61ed02648eed33dd29d9633_s390x |
| Red Hat | lvms4/lvms-operator-bundle@sha256:8f9e651d7cbfd546991f05a5e05ac8331fbd5ec676f227e12bb13f2f4fd670d3_s390x as a component of LVMS 4.14 for RHEL 9 | *, lvms4/lvms-operator-bundle@sha256:8f9e651d7cbfd546991f05a5e05ac8331fbd5ec676f227e12bb13f2f4fd670d3_s390x, * |
| Red Hat | lvms4/lvms-rhel9-operator@sha256:9c47279574868a772f7d14d9de8da670df5101287a5486347b9bd00586e78c17_ppc64le as a component of LVMS 4.14 for RHEL 9 | lvms4/lvms-rhel9-operator@sha256:9c47279574868a772f7d14d9de8da670df5101287a5486347b9bd00586e78c17_ppc64le, *, lvms4/lvms-rhel9-operator@sha256:9c47279574868a772f7d14d9de8da670df5101287a5486347b9bd00586e78c17_ppc64le |
| Red Hat | lvms4/lvms-operator-bundle@sha256:c683e4da500bbb8753b184e43377bf7525fb6ffb20750a6695973025d3bce221_ppc64le as a component of LVMS 4.14 for RHEL 9 | lvms4/lvms-operator-bundle@sha256:c683e4da500bbb8753b184e43377bf7525fb6ffb20750a6695973025d3bce221_ppc64le, lvms4/lvms-operator-bundle@sha256:c683e4da500bbb8753b184e43377bf7525fb6ffb20750a6695973025d3bce221_ppc64le, * |
| Red Hat | lvms4/lvms-must-gather-rhel9@sha256:3abc7f735860ae910e9fcd5d1e419af66911ebd6a502ad85c2e2753536749cdb_s390x as a component of LVMS 4.14 for RHEL 9 | lvms4/lvms-must-gather-rhel9@sha256:3abc7f735860ae910e9fcd5d1e419af66911ebd6a502ad85c2e2753536749cdb_s390x, *, * |
| Red Hat | lvms4/lvms-must-gather-rhel9@sha256:a83ab3e4e4174243bba1fbe96052ec8a5f0c4c5f74d8ecb04f5647796736f348_arm64 as a component of LVMS 4.14 for RHEL 9 | lvms4/lvms-must-gather-rhel9@sha256:a83ab3e4e4174243bba1fbe96052ec8a5f0c4c5f74d8ecb04f5647796736f348_arm64, lvms4/lvms-must-gather-rhel9@sha256:a83ab3e4e4174243bba1fbe96052ec8a5f0c4c5f74d8ecb04f5647796736f348_arm64, lvms4/lvms-must-gather-rhel9@sha256:a83ab3e4e4174243bba1fbe96052ec8a5f0c4c5f74d8ecb04f5647796736f348_arm64 |
| golang | go | |
| Red Hat | lvms4/lvms-rhel9-operator@sha256:a3cdbde1cbc51deb706c99935de6737bda7ef1b4f54fc3ba59a18696285c9a6c_amd64 as a component of LVMS 4.14 for RHEL 9 | lvms4/lvms-rhel9-operator@sha256:a3cdbde1cbc51deb706c99935de6737bda7ef1b4f54fc3ba59a18696285c9a6c_amd64, lvms4/lvms-rhel9-operator@sha256:a3cdbde1cbc51deb706c99935de6737bda7ef1b4f54fc3ba59a18696285c9a6c_amd64, lvms4/lvms-rhel9-operator@sha256:a3cdbde1cbc51deb706c99935de6737bda7ef1b4f54fc3ba59a18696285c9a6c_amd64 |
…and 14 more
Timeline
- Nov 9, 2023 CVE Published
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Jun 19, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHBA-2023:6863 advisory
- https://issues.redhat.com/browse/OCPBUGS-17180 advisory
- https://issues.redhat.com/browse/OCPEDGE-591 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhba-2023_6863.json advisory
- https://access.redhat.com/security/cve/CVE-2023-39325 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2243296 issue
- https://access.redhat.com/security/vulnerabilities/RHSB-2023-003 advisory
- https://www.cve.org/CVERecord?id=CVE-2023-39325 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-39325 advisory
- https://access.redhat.com/security/cve/CVE-2023-44487 advisory
- https://go.dev/issue/63417 advisory
- https://pkg.go.dev/vuln/GO-2023-2102 advisory
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803 issue
- https://www.cve.org/CVERecord?id=CVE-2023-44487 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-44487 advisory
- https://github.com/dotnet/announcements/issues/277 advisory
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog exploit