RHSA-2023%3A6783
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| golang | ||
| Red Hat | workload-availability/node-remediation-console-rhel8@sha256:c4a6e43c9d96f8dbe743db5af83495d9350ef8ac45e3adbec0fbbc53db40502a_amd64 as a component of Node Healthcheck Operator 0.4 for RHEL 8 | workload-availability/node-remediation-console-rhel8@sha256:c4a6e43c9d96f8dbe743db5af83495d9350ef8ac45e3adbec0fbbc53db40502a_amd64, workload-availability/node-remediation-console-rhel8@sha256:c4a6e43c9d96f8dbe743db5af83495d9350ef8ac45e3adbec0fbbc53db40502a_amd64, * |
| Red Hat | workload-availability/node-healthcheck-operator-bundle@sha256:151e7d9bc500b7252af46d0856e3e16559ff310a1d0efedcc5d914164bbdef55_amd64 as a component of Node Healthcheck Operator 0.4 for RHEL 8 | workload-availability/node-healthcheck-operator-bundle@sha256:151e7d9bc500b7252af46d0856e3e16559ff310a1d0efedcc5d914164bbdef55_amd64, workload-availability/node-healthcheck-operator-bundle@sha256:151e7d9bc500b7252af46d0856e3e16559ff310a1d0efedcc5d914164bbdef55_amd64, workload-availability/node-healthcheck-operator-bundle@sha256:151e7d9bc500b7252af46d0856e3e16559ff310a1d0efedcc5d914164bbdef55_amd64 |
| Red Hat | workload-availability/node-healthcheck-operator-bundle@sha256:151e7d9bc500b7252af46d0856e3e16559ff310a1d0efedcc5d914164bbdef55_amd64 as a component of Node Healthcheck Operator 0.4 for RHEL 8 | workload-availability/node-healthcheck-operator-bundle@sha256:151e7d9bc500b7252af46d0856e3e16559ff310a1d0efedcc5d914164bbdef55_amd64, workload-availability/node-healthcheck-operator-bundle@sha256:151e7d9bc500b7252af46d0856e3e16559ff310a1d0efedcc5d914164bbdef55_amd64, workload-availability/node-healthcheck-operator-bundle@sha256:151e7d9bc500b7252af46d0856e3e16559ff310a1d0efedcc5d914164bbdef55_amd64 |
| Red Hat | workload-availability/node-healthcheck-rhel8-operator@sha256:1e69fca94c72373f8034b4914e113e23e418f2c1b227d7ea0c8af3dcb63187a6_amd64 as a component of Node Healthcheck Operator 0.4 for RHEL 8 | *, workload-availability/node-healthcheck-rhel8-operator@sha256:1e69fca94c72373f8034b4914e113e23e418f2c1b227d7ea0c8af3dcb63187a6_amd64, workload-availability/node-healthcheck-rhel8-operator@sha256:1e69fca94c72373f8034b4914e113e23e418f2c1b227d7ea0c8af3dcb63187a6_amd64 |
| Red Hat | workload-availability/node-healthcheck-rhel8-operator@sha256:1e69fca94c72373f8034b4914e113e23e418f2c1b227d7ea0c8af3dcb63187a6_amd64 as a component of Node Healthcheck Operator 0.4 for RHEL 8 | *, *, workload-availability/node-healthcheck-rhel8-operator@sha256:1e69fca94c72373f8034b4914e113e23e418f2c1b227d7ea0c8af3dcb63187a6_amd64 |
| Red Hat | workload-availability/node-remediation-console-rhel8@sha256:c4a6e43c9d96f8dbe743db5af83495d9350ef8ac45e3adbec0fbbc53db40502a_amd64 as a component of Node Healthcheck Operator 0.4 for RHEL 8 | *, *, * |
Timeline
- Nov 8, 2023 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 21, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2023:6783 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://access.redhat.com/security/vulnerabilities/RHSB-2023-003 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2243296 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6783.json advisory
- https://access.redhat.com/security/cve/CVE-2023-39325 advisory
- https://www.cve.org/CVERecord?id=CVE-2023-39325 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-39325 advisory
- https://access.redhat.com/security/cve/CVE-2023-44487 advisory
- https://go.dev/issue/63417 advisory
- https://pkg.go.dev/vuln/GO-2023-2102 advisory
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 advisory
- https://www.cve.org/CVERecord?id=CVE-2023-44487 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-44487 advisory
- https://github.com/dotnet/announcements/issues/277 advisory
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog exploit