RHSA-2023%3A5801
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages. Security Bulletin https://access.redhat.com/security/vulnerabilities/RHSB-2023-003
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | mtr/mtr-web-executor-container-rhel8@sha256:f138323dcffc5d4386decaf6fdcd4c059348a5c8ce3d6392c94dc7a40440ee3d_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-web-executor-container-rhel8@sha256:f138323dcffc5d4386decaf6fdcd4c059348a5c8ce3d6392c94dc7a40440ee3d_s390x |
| Red Hat | mtr/mtr-web-executor-container-rhel8@sha256:f5f48da94ab95be7c2b7642610af860d5bbcda300445f691d0139c2b1e23de84_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-web-executor-container-rhel8@sha256:f5f48da94ab95be7c2b7642610af860d5bbcda300445f691d0139c2b1e23de84_ppc64le |
| Red Hat | mtr/mtr-rhel8-operator@sha256:71ce5cfaf6f39e242599df08643c9512c5af0a316a3b19b45c6042154c68d236_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-rhel8-operator@sha256:71ce5cfaf6f39e242599df08643c9512c5af0a316a3b19b45c6042154c68d236_ppc64le |
| Red Hat | mtr/mtr-operator-bundle@sha256:a168c9110fd01e0615e62e16408688599d65dece68d5965547b50be3072bde7b_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-operator-bundle@sha256:a168c9110fd01e0615e62e16408688599d65dece68d5965547b50be3072bde7b_ppc64le |
| Red Hat | mtr/mtr-operator-bundle@sha256:60acebf53444e65bab7e216838cd9da49928fed27db24d75f5d1a244993f42dd_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-operator-bundle@sha256:60acebf53444e65bab7e216838cd9da49928fed27db24d75f5d1a244993f42dd_amd64 |
| Red Hat | mtr/mtr-operator-bundle@sha256:ed8fe2d3313cea2435357cce660cc933260d3a254e66575aa8d9e6edd44531eb_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-operator-bundle@sha256:ed8fe2d3313cea2435357cce660cc933260d3a254e66575aa8d9e6edd44531eb_arm64 |
| Red Hat | mtr/mtr-rhel8-operator@sha256:93c10589ddcd6d5ac5a910474806ce55d7ed798c10ce8e7c430d22291f11b72b_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-rhel8-operator@sha256:93c10589ddcd6d5ac5a910474806ce55d7ed798c10ce8e7c430d22291f11b72b_s390x |
| Red Hat | mtr/mtr-web-container-rhel8@sha256:801e00ff1c5aa1f2dd140b448e0d39210b2ed608306777d98959afe0b77ac0cf_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-web-container-rhel8@sha256:801e00ff1c5aa1f2dd140b448e0d39210b2ed608306777d98959afe0b77ac0cf_ppc64le |
| Red Hat | mtr/mtr-web-container-rhel8@sha256:c7348032abd6194e7fb47e63e1f00db706c20ebee4edba53746da6d3c40f166d_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-web-container-rhel8@sha256:c7348032abd6194e7fb47e63e1f00db706c20ebee4edba53746da6d3c40f166d_s390x |
| Red Hat | mtr/mtr-web-executor-container-rhel8@sha256:5b39504feb5073935afc16220e297e85a1a7287f482c89b4227ef0b9b7f7f355_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-web-executor-container-rhel8@sha256:5b39504feb5073935afc16220e297e85a1a7287f482c89b4227ef0b9b7f7f355_arm64 |
| Red Hat | mtr/mtr-operator-bundle@sha256:ed8fe2d3313cea2435357cce660cc933260d3a254e66575aa8d9e6edd44531eb_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | * |
| Red Hat | mtr/mtr-rhel8-operator@sha256:74dbf338ddb1772ad6dba53c0fa185cfe4d8d8973210d67b7662d3406b26c3a6_arm64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-rhel8-operator@sha256:74dbf338ddb1772ad6dba53c0fa185cfe4d8d8973210d67b7662d3406b26c3a6_arm64 |
| Red Hat | mtr/mtr-rhel8-operator@sha256:71ce5cfaf6f39e242599df08643c9512c5af0a316a3b19b45c6042154c68d236_ppc64le as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | * |
| Red Hat | mtr/mtr-operator-bundle@sha256:60acebf53444e65bab7e216838cd9da49928fed27db24d75f5d1a244993f42dd_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-operator-bundle@sha256:60acebf53444e65bab7e216838cd9da49928fed27db24d75f5d1a244993f42dd_amd64 |
| Red Hat | mtr/mtr-web-container-rhel8@sha256:c7348032abd6194e7fb47e63e1f00db706c20ebee4edba53746da6d3c40f166d_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-web-container-rhel8@sha256:c7348032abd6194e7fb47e63e1f00db706c20ebee4edba53746da6d3c40f166d_s390x |
| Red Hat | mtr/mtr-web-container-rhel8@sha256:d3ef4e55145f7c1d8ba413b5a57292eec0a98b0279a430ec6e09bcd7ae9b6fc6_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-web-container-rhel8@sha256:d3ef4e55145f7c1d8ba413b5a57292eec0a98b0279a430ec6e09bcd7ae9b6fc6_amd64 |
| Red Hat | mtr/mtr-rhel8-operator@sha256:e01ce6a876935bf298a0820199aa7b462a99b7c48680da6aa3e7c113446d5d88_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-rhel8-operator@sha256:e01ce6a876935bf298a0820199aa7b462a99b7c48680da6aa3e7c113446d5d88_amd64 |
| Red Hat | mtr/mtr-web-executor-container-rhel8@sha256:9a8218e8ad59ef78011343e70d61b4c0b3e3eaa2ddb9470cce87102698b986a5_amd64 as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-web-executor-container-rhel8@sha256:9a8218e8ad59ef78011343e70d61b4c0b3e3eaa2ddb9470cce87102698b986a5_amd64 |
| Red Hat | mtr/mtr-operator-bundle@sha256:879263f1412ce4ebd224728713b5f353a3aff3130b052718d6cb6d763513ab85_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-operator-bundle@sha256:879263f1412ce4ebd224728713b5f353a3aff3130b052718d6cb6d763513ab85_s390x |
| Red Hat | mtr/mtr-web-executor-container-rhel8@sha256:f138323dcffc5d4386decaf6fdcd4c059348a5c8ce3d6392c94dc7a40440ee3d_s390x as a component of Migration Toolkit for Runtimes 1 on RHEL 8 | mtr/mtr-web-executor-container-rhel8@sha256:f138323dcffc5d4386decaf6fdcd4c059348a5c8ce3d6392c94dc7a40440ee3d_s390x |
…and 10 more
Timeline
- Oct 17, 2023 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 30, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2023:5801 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://access.redhat.com/security/vulnerabilities/RHSB-2023-003 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_5801.json advisory
- https://access.redhat.com/security/cve/CVE-2023-44487 advisory
- https://www.cve.org/CVERecord?id=CVE-2023-44487 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-44487 advisory
- https://github.com/dotnet/announcements/issues/277 advisory
- https://pkg.go.dev/vuln/GO-2023-2102 advisory
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 advisory
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog exploit