RHSA-2023%3A6836
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | openshift4/ose-cluster-kube-descheduler-operator@sha256:8626dc3e14019a3a725caabdd48a2093bf8eb77d611906740e8b632ebdee8bb1_ppc64le as a component of Red Hat OpenShift Container Platform 4.14 | *, *, openshift4/ose-cluster-kube-descheduler-operator@sha256:8626dc3e14019a3a725caabdd48a2093bf8eb77d611906740e8b632ebdee8bb1_ppc64le |
| Red Hat | openshift4/ose-local-storage-diskmaker@sha256:95dcbca8e66386855535982a924da3193e4c0d4067eb7dd6faf8238a1559bce7_arm64 as a component of Red Hat OpenShift Container Platform 4.14 | openshift4/ose-local-storage-diskmaker@sha256:95dcbca8e66386855535982a924da3193e4c0d4067eb7dd6faf8238a1559bce7_arm64, *, openshift4/ose-local-storage-diskmaker@sha256:95dcbca8e66386855535982a924da3193e4c0d4067eb7dd6faf8238a1559bce7_arm64 |
| Red Hat | openshift4/ose-egress-dns-proxy@sha256:43e07a5d4da8403ed0263c31a0b837c7d1b4ab3270bf8411b5e5f46c46ddcec1_amd64 as a component of Red Hat OpenShift Container Platform 4.14 | openshift4/ose-egress-dns-proxy@sha256:43e07a5d4da8403ed0263c31a0b837c7d1b4ab3270bf8411b5e5f46c46ddcec1_amd64, *, openshift4/ose-egress-dns-proxy@sha256:43e07a5d4da8403ed0263c31a0b837c7d1b4ab3270bf8411b5e5f46c46ddcec1_amd64 |
| Red Hat | openshift4/ose-egress-http-proxy@sha256:ab11a583762aae8858f566e43e420a2c2062a02468ee8f6044b8aae10fa86ca5_arm64 as a component of Red Hat OpenShift Container Platform 4.14 | *, *, openshift4/ose-egress-http-proxy@sha256:ab11a583762aae8858f566e43e420a2c2062a02468ee8f6044b8aae10fa86ca5_arm64 |
| Red Hat | openshift-tech-preview/metallb-rhel8@sha256:e71bef803bd0f6c70bc364ab12b142d0d49ce235a03191ad90434fadfcec6492_amd64 as a component of Red Hat OpenShift Container Platform 4.14 | openshift-tech-preview/metallb-rhel8@sha256:e71bef803bd0f6c70bc364ab12b142d0d49ce235a03191ad90434fadfcec6492_amd64, *, openshift-tech-preview/metallb-rhel8@sha256:e71bef803bd0f6c70bc364ab12b142d0d49ce235a03191ad90434fadfcec6492_amd64 |
| Red Hat | openshift4/ptp-must-gather-rhel8@sha256:22d36a1d85496bdbb0941488b31597cbb66920f4a4bf7234d82da2030be0dbe9_ppc64le as a component of Red Hat OpenShift Container Platform 4.14 | openshift4/ptp-must-gather-rhel8@sha256:22d36a1d85496bdbb0941488b31597cbb66920f4a4bf7234d82da2030be0dbe9_ppc64le, *, * |
| Red Hat | openshift4/ose-secrets-store-csi-mustgather-rhel8@sha256:aa5014aacef767ab7dc963afce78089cea19015c7175a67cfdea42bbd3fdab25_ppc64le as a component of Red Hat OpenShift Container Platform 4.14 | *, openshift4/ose-secrets-store-csi-mustgather-rhel8@sha256:aa5014aacef767ab7dc963afce78089cea19015c7175a67cfdea42bbd3fdab25_ppc64le, openshift4/ose-secrets-store-csi-mustgather-rhel8@sha256:aa5014aacef767ab7dc963afce78089cea19015c7175a67cfdea42bbd3fdab25_ppc64le |
| Red Hat | openshift4/ose-clusterresourceoverride-rhel8-operator@sha256:b522da40066a38358ae80ba851d33c8044d332cab5678ef6d73b6cfcbf97d091_s390x as a component of Red Hat OpenShift Container Platform 4.14 | openshift4/ose-clusterresourceoverride-rhel8-operator@sha256:b522da40066a38358ae80ba851d33c8044d332cab5678ef6d73b6cfcbf97d091_s390x, *, openshift4/ose-clusterresourceoverride-rhel8-operator@sha256:b522da40066a38358ae80ba851d33c8044d332cab5678ef6d73b6cfcbf97d091_s390x |
| Red Hat | openshift4/frr-rhel9@sha256:c0cd52c58233244545c4552fd6406a95f84aee286bec95b84f4168fca2f8bb6b_arm64 as a component of Red Hat OpenShift Container Platform 4.14 | *, openshift4/frr-rhel9@sha256:c0cd52c58233244545c4552fd6406a95f84aee286bec95b84f4168fca2f8bb6b_arm64, openshift4/frr-rhel9@sha256:c0cd52c58233244545c4552fd6406a95f84aee286bec95b84f4168fca2f8bb6b_arm64 |
| Red Hat | openshift4/ose-sriov-network-config-daemon@sha256:107ff7faf7a5ec8be028cc3cd7a97861b16052db17fbd1e65ef04cb47caef840_arm64 as a component of Red Hat OpenShift Container Platform 4.14 | *, openshift4/ose-sriov-network-config-daemon@sha256:107ff7faf7a5ec8be028cc3cd7a97861b16052db17fbd1e65ef04cb47caef840_arm64, openshift4/ose-sriov-network-config-daemon@sha256:107ff7faf7a5ec8be028cc3cd7a97861b16052db17fbd1e65ef04cb47caef840_arm64 |
| Red Hat | openshift4/ose-secrets-store-csi-mustgather-rhel8@sha256:bc86899f4cc73ea62314c07e7a8d89a24a95d7f46ce73df196717e5a9d78985c_amd64 as a component of Red Hat OpenShift Container Platform 4.14 | *, *, * |
| Red Hat | openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:0a6ba836f37d836976b9b556e61a3032a9f69de5fec680f36b74a7dd08a9bc60_ppc64le as a component of Red Hat OpenShift Container Platform 4.14 | *, *, openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:0a6ba836f37d836976b9b556e61a3032a9f69de5fec680f36b74a7dd08a9bc60_ppc64le |
| Red Hat | openshift4/ose-gcp-filestore-csi-driver-rhel8-operator@sha256:0083db645ed823cde46239b53962b215c8399cb4d90c88819477be37caff244a_amd64 as a component of Red Hat OpenShift Container Platform 4.14 | *, openshift4/ose-gcp-filestore-csi-driver-rhel8-operator@sha256:0083db645ed823cde46239b53962b215c8399cb4d90c88819477be37caff244a_amd64, openshift4/ose-gcp-filestore-csi-driver-rhel8-operator@sha256:0083db645ed823cde46239b53962b215c8399cb4d90c88819477be37caff244a_amd64 |
| Red Hat | openshift4/ose-egress-http-proxy@sha256:bfef29aaf3e7e26bccbf580ff9707afcd29a9e2c55097a9d4a80d833de5cfb77_amd64 as a component of Red Hat OpenShift Container Platform 4.14 | openshift4/ose-egress-http-proxy@sha256:bfef29aaf3e7e26bccbf580ff9707afcd29a9e2c55097a9d4a80d833de5cfb77_amd64, *, * |
| Red Hat | openshift4/ose-sriov-network-webhook@sha256:e99b7322d383c5650a6d4abfb29f352d6b03e3af850003a36d24c7e376ec9cb7_arm64 as a component of Red Hat OpenShift Container Platform 4.14 | openshift4/ose-sriov-network-webhook@sha256:e99b7322d383c5650a6d4abfb29f352d6b03e3af850003a36d24c7e376ec9cb7_arm64, openshift4/ose-sriov-network-webhook@sha256:e99b7322d383c5650a6d4abfb29f352d6b03e3af850003a36d24c7e376ec9cb7_arm64, openshift4/ose-sriov-network-webhook@sha256:e99b7322d383c5650a6d4abfb29f352d6b03e3af850003a36d24c7e376ec9cb7_arm64 |
| Red Hat | openshift4/ose-kubernetes-nmstate-handler-rhel9@sha256:ced23c3517cf99f649b4f04597c83f21a2b1f4fca07cff4aa491de3f4dd84755_arm64 as a component of Red Hat OpenShift Container Platform 4.14 | openshift4/ose-kubernetes-nmstate-handler-rhel9@sha256:ced23c3517cf99f649b4f04597c83f21a2b1f4fca07cff4aa491de3f4dd84755_arm64, openshift4/ose-kubernetes-nmstate-handler-rhel9@sha256:ced23c3517cf99f649b4f04597c83f21a2b1f4fca07cff4aa491de3f4dd84755_arm64, openshift4/ose-kubernetes-nmstate-handler-rhel9@sha256:ced23c3517cf99f649b4f04597c83f21a2b1f4fca07cff4aa491de3f4dd84755_arm64 |
| Red Hat | openshift4/ose-operator-sdk-rhel8@sha256:18a82f86d5e71a948adb10ce6060556a1462689b6e364adbe1130226efcc3a0e_s390x as a component of Red Hat OpenShift Container Platform 4.14 | openshift4/ose-operator-sdk-rhel8@sha256:18a82f86d5e71a948adb10ce6060556a1462689b6e364adbe1130226efcc3a0e_s390x, openshift4/ose-operator-sdk-rhel8@sha256:18a82f86d5e71a948adb10ce6060556a1462689b6e364adbe1130226efcc3a0e_s390x, openshift4/ose-operator-sdk-rhel8@sha256:18a82f86d5e71a948adb10ce6060556a1462689b6e364adbe1130226efcc3a0e_s390x |
| Red Hat | openshift4/ose-ansible-operator@sha256:57b0a07d7ef87f6e9416bf92c223d2847f4d40bec9c2cf970012a56975fd5fd5_arm64 as a component of Red Hat OpenShift Container Platform 4.14 | openshift4/ose-ansible-operator@sha256:57b0a07d7ef87f6e9416bf92c223d2847f4d40bec9c2cf970012a56975fd5fd5_arm64, *, openshift4/ose-ansible-operator@sha256:57b0a07d7ef87f6e9416bf92c223d2847f4d40bec9c2cf970012a56975fd5fd5_arm64 |
| Red Hat | openshift4/ose-sriov-network-operator@sha256:c7a82735ca99ff96f0c38da5704919558b0ef481cae0f040cdebc3b839aed5ca_arm64 as a component of Red Hat OpenShift Container Platform 4.14 | *, openshift4/ose-sriov-network-operator@sha256:c7a82735ca99ff96f0c38da5704919558b0ef481cae0f040cdebc3b839aed5ca_arm64, * |
| Red Hat | openshift4/kubernetes-nmstate-rhel9-operator@sha256:c1261865e7909fb968058ae01058ccf861d42e25a5635f5e72415b6efc189c77_amd64 as a component of Red Hat OpenShift Container Platform 4.14 | openshift4/kubernetes-nmstate-rhel9-operator@sha256:c1261865e7909fb968058ae01058ccf861d42e25a5635f5e72415b6efc189c77_amd64, openshift4/kubernetes-nmstate-rhel9-operator@sha256:c1261865e7909fb968058ae01058ccf861d42e25a5635f5e72415b6efc189c77_amd64, openshift4/kubernetes-nmstate-rhel9-operator@sha256:c1261865e7909fb968058ae01058ccf861d42e25a5635f5e72415b6efc189c77_amd64 |
…and 347 more
Timeline
- Nov 15, 2023 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 21, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2023:6836 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://access.redhat.com/security/vulnerabilities/RHSB-2023-003 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2242803 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=2243296 issue
- https://issues.redhat.com/browse/OCPBUGS-19440 advisory
- https://issues.redhat.com/browse/OCPBUGS-22313 advisory
- https://issues.redhat.com/browse/OCPBUGS-22904 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6836.json advisory
- https://access.redhat.com/security/cve/CVE-2023-39325 advisory
- https://www.cve.org/CVERecord?id=CVE-2023-39325 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-39325 advisory
- https://access.redhat.com/security/cve/CVE-2023-44487 advisory
- https://go.dev/issue/63417 advisory
- https://pkg.go.dev/vuln/GO-2023-2102 advisory
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 advisory
- https://www.cve.org/CVERecord?id=CVE-2023-44487 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-44487 advisory
- https://github.com/dotnet/announcements/issues/277 advisory
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ advisory
…and 1 more