RHSA-2023%3A7342
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | openshift4/numaresources-rhel8-operator@sha256:2e68b9e4e95326112213b6efbd770dc20a95d080c32587c5c97575e783804087_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | openshift4/numaresources-rhel8-operator@sha256:2e68b9e4e95326112213b6efbd770dc20a95d080c32587c5c97575e783804087_amd64, *, openshift4/numaresources-rhel8-operator@sha256:2e68b9e4e95326112213b6efbd770dc20a95d080c32587c5c97575e783804087_amd64 |
| Red Hat | openshift4/performance-addon-operator-must-gather-rhel8@sha256:e97c352088a7f3871c9aa7fbd8647d02ad363223b8b35c5998371007847769dc_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | *, *, * |
| Red Hat | openshift4/numaresources-operator-bundle@sha256:05b1e4e5324742678c66e48cea3c99da88bba68da4831676dc801f2ef10b7aed_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | *, *, * |
| Red Hat | openshift4/cnf-tests-rhel8@sha256:5637e6e6e40323d008541078ae6a67462574b5e6368602d86f02a42d0e1bfa0d_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | *, openshift4/cnf-tests-rhel8@sha256:5637e6e6e40323d008541078ae6a67462574b5e6368602d86f02a42d0e1bfa0d_amd64, openshift4/cnf-tests-rhel8@sha256:5637e6e6e40323d008541078ae6a67462574b5e6368602d86f02a42d0e1bfa0d_amd64 |
| Red Hat | openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:8c9a3630bc8446387b1950a6bc33c4ed36ea80f76db659cc2b99dc644c92aeb9_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:8c9a3630bc8446387b1950a6bc33c4ed36ea80f76db659cc2b99dc644c92aeb9_amd64, *, openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:8c9a3630bc8446387b1950a6bc33c4ed36ea80f76db659cc2b99dc644c92aeb9_amd64 |
| Red Hat | openshift4/numaresources-rhel8-operator@sha256:2e68b9e4e95326112213b6efbd770dc20a95d080c32587c5c97575e783804087_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | openshift4/numaresources-rhel8-operator@sha256:2e68b9e4e95326112213b6efbd770dc20a95d080c32587c5c97575e783804087_amd64, openshift4/numaresources-rhel8-operator@sha256:2e68b9e4e95326112213b6efbd770dc20a95d080c32587c5c97575e783804087_amd64, openshift4/numaresources-rhel8-operator@sha256:2e68b9e4e95326112213b6efbd770dc20a95d080c32587c5c97575e783804087_amd64 |
| Red Hat | openshift4/numaresources-operator-bundle@sha256:05b1e4e5324742678c66e48cea3c99da88bba68da4831676dc801f2ef10b7aed_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | openshift4/numaresources-operator-bundle@sha256:05b1e4e5324742678c66e48cea3c99da88bba68da4831676dc801f2ef10b7aed_amd64, openshift4/numaresources-operator-bundle@sha256:05b1e4e5324742678c66e48cea3c99da88bba68da4831676dc801f2ef10b7aed_amd64, * |
| Red Hat | openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:8c9a3630bc8446387b1950a6bc33c4ed36ea80f76db659cc2b99dc644c92aeb9_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:8c9a3630bc8446387b1950a6bc33c4ed36ea80f76db659cc2b99dc644c92aeb9_amd64, *, openshift4/noderesourcetopology-scheduler-container-rhel8@sha256:8c9a3630bc8446387b1950a6bc33c4ed36ea80f76db659cc2b99dc644c92aeb9_amd64 |
| Red Hat | openshift4/cnf-tests-rhel8@sha256:5637e6e6e40323d008541078ae6a67462574b5e6368602d86f02a42d0e1bfa0d_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | openshift4/cnf-tests-rhel8@sha256:5637e6e6e40323d008541078ae6a67462574b5e6368602d86f02a42d0e1bfa0d_amd64, *, * |
| Red Hat | openshift4/dpdk-base-rhel8@sha256:d7d6971682fb69eef049afcb96d9df2013be45bce34737d9acac52a8c401a1e8_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | openshift4/dpdk-base-rhel8@sha256:d7d6971682fb69eef049afcb96d9df2013be45bce34737d9acac52a8c401a1e8_amd64, *, openshift4/dpdk-base-rhel8@sha256:d7d6971682fb69eef049afcb96d9df2013be45bce34737d9acac52a8c401a1e8_amd64 |
| Red Hat | openshift4/noderesourcetopology-scheduler-container-rhel8 | |
| Red Hat | openshift4/performance-addon-operator-must-gather-rhel8@sha256:e97c352088a7f3871c9aa7fbd8647d02ad363223b8b35c5998371007847769dc_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | openshift4/performance-addon-operator-must-gather-rhel8@sha256:e97c352088a7f3871c9aa7fbd8647d02ad363223b8b35c5998371007847769dc_amd64, *, openshift4/performance-addon-operator-must-gather-rhel8@sha256:e97c352088a7f3871c9aa7fbd8647d02ad363223b8b35c5998371007847769dc_amd64 |
| Red Hat | openshift4/dpdk-base-rhel8@sha256:d7d6971682fb69eef049afcb96d9df2013be45bce34737d9acac52a8c401a1e8_amd64 as a component of Red Hat OpenShift Container Platform 4.11 | openshift4/dpdk-base-rhel8@sha256:d7d6971682fb69eef049afcb96d9df2013be45bce34737d9acac52a8c401a1e8_amd64, openshift4/dpdk-base-rhel8@sha256:d7d6971682fb69eef049afcb96d9df2013be45bce34737d9acac52a8c401a1e8_amd64, openshift4/dpdk-base-rhel8@sha256:d7d6971682fb69eef049afcb96d9df2013be45bce34737d9acac52a8c401a1e8_amd64 |
Timeline
- Nov 16, 2023 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 21, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2023:7342 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://access.redhat.com/security/vulnerabilities/RHSB-2023-003 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2243296 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7342.json advisory
- https://access.redhat.com/security/cve/CVE-2023-39325 advisory
- https://www.cve.org/CVERecord?id=CVE-2023-39325 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-39325 advisory
- https://access.redhat.com/security/cve/CVE-2023-44487 advisory
- https://go.dev/issue/63417 advisory
- https://pkg.go.dev/vuln/GO-2023-2102 advisory
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 advisory