RHSA-2023%3A7602
A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as 'Important' as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit. CVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | openshift4/ose-sriov-network-webhook@sha256:390e4d22aa8c1fc05bfd2b4c80790896aff863f32aa98eb822852c8af01e9e25_amd64 as a component of Red Hat OpenShift Container Platform 4.13 | *, *, * |
| Red Hat | openshift4/ose-egress-dns-proxy@sha256:e6c238ac6ce7c41c4ddcf1af529973e9c25146e01451980b167f151906e6feb9_amd64 as a component of Red Hat OpenShift Container Platform 4.13 | *, *, openshift4/ose-egress-dns-proxy@sha256:e6c238ac6ce7c41c4ddcf1af529973e9c25146e01451980b167f151906e6feb9_amd64 |
| Red Hat | openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:3cdde61014e85721fe8c657d7ce835da41917f373fa11d3bdcfc923272fd64c8_arm64 as a component of Red Hat OpenShift Container Platform 4.13 | *, openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:3cdde61014e85721fe8c657d7ce835da41917f373fa11d3bdcfc923272fd64c8_arm64, openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:3cdde61014e85721fe8c657d7ce835da41917f373fa11d3bdcfc923272fd64c8_arm64 |
| Red Hat | openshift4/ose-sriov-network-operator@sha256:b4f17c82dace3b04ee6fefe772aad5c5238be1e7f19fa627e35f05e8f44a7734_amd64 as a component of Red Hat OpenShift Container Platform 4.13 | *, *, * |
| Red Hat | openshift4/ose-sriov-dp-admission-controller@sha256:1a24b512d3611d1c318b47c703cbfe3d4005bc3c6dd6139a78075979ad3dcdd4_amd64 as a component of Red Hat OpenShift Container Platform 4.13 | openshift4/ose-sriov-dp-admission-controller@sha256:1a24b512d3611d1c318b47c703cbfe3d4005bc3c6dd6139a78075979ad3dcdd4_amd64, *, openshift4/ose-sriov-dp-admission-controller@sha256:1a24b512d3611d1c318b47c703cbfe3d4005bc3c6dd6139a78075979ad3dcdd4_amd64 |
| Red Hat | openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:5fd316b3d9d7d48567cbbb856f6dabb9a3971ce87ca403146ef51b7a79695965_s390x as a component of Red Hat OpenShift Container Platform 4.13 | openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:5fd316b3d9d7d48567cbbb856f6dabb9a3971ce87ca403146ef51b7a79695965_s390x, openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:5fd316b3d9d7d48567cbbb856f6dabb9a3971ce87ca403146ef51b7a79695965_s390x, openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:5fd316b3d9d7d48567cbbb856f6dabb9a3971ce87ca403146ef51b7a79695965_s390x |
| Red Hat | openshift4/ose-sriov-network-config-daemon@sha256:3c250a78235ea5ceae8826047cd4b52e29b6922c1d939041b8c8e907ffd95291_amd64 as a component of Red Hat OpenShift Container Platform 4.13 | *, *, openshift4/ose-sriov-network-config-daemon@sha256:3c250a78235ea5ceae8826047cd4b52e29b6922c1d939041b8c8e907ffd95291_amd64 |
| Red Hat | openshift4/ose-egress-dns-proxy@sha256:6c19b0efdbaa0249e1c5a4cf22ecaec1733fac97c914a34a2558d870ad6d4a98_s390x as a component of Red Hat OpenShift Container Platform 4.13 | *, *, openshift4/ose-egress-dns-proxy@sha256:6c19b0efdbaa0249e1c5a4cf22ecaec1733fac97c914a34a2558d870ad6d4a98_s390x |
| Red Hat | openshift4/ose-sriov-network-webhook@sha256:d37a1d918d24d132879c7d4e2aa26438bd7a609f7f19370f24800f44a8186446_ppc64le as a component of Red Hat OpenShift Container Platform 4.13 | openshift4/ose-sriov-network-webhook@sha256:d37a1d918d24d132879c7d4e2aa26438bd7a609f7f19370f24800f44a8186446_ppc64le, *, * |
| Red Hat | openshift4/ose-sriov-network-webhook@sha256:d37a1d918d24d132879c7d4e2aa26438bd7a609f7f19370f24800f44a8186446_ppc64le as a component of Red Hat OpenShift Container Platform 4.13 | openshift4/ose-sriov-network-webhook@sha256:d37a1d918d24d132879c7d4e2aa26438bd7a609f7f19370f24800f44a8186446_ppc64le, *, * |
| Red Hat | openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:97980eeba34e1639af0abfbbcff93fa3d06cb3df3b09ae3f7e042f86e75f109b_ppc64le as a component of Red Hat OpenShift Container Platform 4.13 | *, openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:97980eeba34e1639af0abfbbcff93fa3d06cb3df3b09ae3f7e042f86e75f109b_ppc64le, openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:97980eeba34e1639af0abfbbcff93fa3d06cb3df3b09ae3f7e042f86e75f109b_ppc64le |
| Red Hat | openshift4/ose-sriov-network-config-daemon@sha256:ddb16b814c5699dd1aaed537c4dca85fcef43a3effd95c63630b16d6f031b84b_arm64 as a component of Red Hat OpenShift Container Platform 4.13 | openshift4/ose-sriov-network-config-daemon@sha256:ddb16b814c5699dd1aaed537c4dca85fcef43a3effd95c63630b16d6f031b84b_arm64, openshift4/ose-sriov-network-config-daemon@sha256:ddb16b814c5699dd1aaed537c4dca85fcef43a3effd95c63630b16d6f031b84b_arm64, * |
| Red Hat | openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:5fd316b3d9d7d48567cbbb856f6dabb9a3971ce87ca403146ef51b7a79695965_s390x as a component of Red Hat OpenShift Container Platform 4.13 | *, openshift4/ose-openshift-proxy-pull-test-rhel8@sha256:5fd316b3d9d7d48567cbbb856f6dabb9a3971ce87ca403146ef51b7a79695965_s390x, * |
| Red Hat | openshift4/ose-egress-dns-proxy@sha256:e6c238ac6ce7c41c4ddcf1af529973e9c25146e01451980b167f151906e6feb9_amd64 as a component of Red Hat OpenShift Container Platform 4.13 | *, *, * |
| Red Hat | openshift4/ose-sriov-dp-admission-controller@sha256:cb3daa4e346e3a87e1f95978c5602df689bbbbefcdb7d38879f6b007122037d4_arm64 as a component of Red Hat OpenShift Container Platform 4.13 | openshift4/ose-sriov-dp-admission-controller@sha256:cb3daa4e346e3a87e1f95978c5602df689bbbbefcdb7d38879f6b007122037d4_arm64, openshift4/ose-sriov-dp-admission-controller@sha256:cb3daa4e346e3a87e1f95978c5602df689bbbbefcdb7d38879f6b007122037d4_arm64, openshift4/ose-sriov-dp-admission-controller@sha256:cb3daa4e346e3a87e1f95978c5602df689bbbbefcdb7d38879f6b007122037d4_arm64 |
| Red Hat | openshift4/ose-sriov-network-webhook@sha256:4429e92de0a15010210fecca5dd57e6d3437b3c68d8598fc318facf8c519caa4_arm64 as a component of Red Hat OpenShift Container Platform 4.13 | openshift4/ose-sriov-network-webhook@sha256:4429e92de0a15010210fecca5dd57e6d3437b3c68d8598fc318facf8c519caa4_arm64, openshift4/ose-sriov-network-webhook@sha256:4429e92de0a15010210fecca5dd57e6d3437b3c68d8598fc318facf8c519caa4_arm64, openshift4/ose-sriov-network-webhook@sha256:4429e92de0a15010210fecca5dd57e6d3437b3c68d8598fc318facf8c519caa4_arm64 |
| Red Hat | openshift4/ose-egress-dns-proxy@sha256:5a1bbd8b982cb7845cc35ab4072fefa671294f9ba9c9beaed304e5965ef9aa5b_ppc64le as a component of Red Hat OpenShift Container Platform 4.13 | *, *, * |
| Red Hat | openshift4/ose-sriov-network-operator@sha256:b4f17c82dace3b04ee6fefe772aad5c5238be1e7f19fa627e35f05e8f44a7734_amd64 as a component of Red Hat OpenShift Container Platform 4.13 | openshift4/ose-sriov-network-operator@sha256:b4f17c82dace3b04ee6fefe772aad5c5238be1e7f19fa627e35f05e8f44a7734_amd64, *, * |
| Red Hat | openshift4/ose-sriov-network-config-daemon@sha256:bb98d675b56c7e929044db871e7243bc5da16e62ac8c3338b0b420e0dccbcdef_ppc64le as a component of Red Hat OpenShift Container Platform 4.13 | openshift4/ose-sriov-network-config-daemon@sha256:bb98d675b56c7e929044db871e7243bc5da16e62ac8c3338b0b420e0dccbcdef_ppc64le, *, openshift4/ose-sriov-network-config-daemon@sha256:bb98d675b56c7e929044db871e7243bc5da16e62ac8c3338b0b420e0dccbcdef_ppc64le |
| Red Hat | openshift4/ose-egress-dns-proxy@sha256:6c19b0efdbaa0249e1c5a4cf22ecaec1733fac97c914a34a2558d870ad6d4a98_s390x as a component of Red Hat OpenShift Container Platform 4.13 | openshift4/ose-egress-dns-proxy@sha256:6c19b0efdbaa0249e1c5a4cf22ecaec1733fac97c914a34a2558d870ad6d4a98_s390x, openshift4/ose-egress-dns-proxy@sha256:6c19b0efdbaa0249e1c5a4cf22ecaec1733fac97c914a34a2558d870ad6d4a98_s390x, openshift4/ose-egress-dns-proxy@sha256:6c19b0efdbaa0249e1c5a4cf22ecaec1733fac97c914a34a2558d870ad6d4a98_s390x |
…and 20 more
Timeline
- Dec 6, 2023 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 21, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2023:7602 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://access.redhat.com/security/vulnerabilities/RHSB-2023-003 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2243296 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_7602.json advisory
- https://access.redhat.com/security/cve/CVE-2023-39325 advisory
- https://www.cve.org/CVERecord?id=CVE-2023-39325 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2023-39325 advisory
- https://access.redhat.com/security/cve/CVE-2023-44487 advisory
- https://go.dev/issue/63417 advisory
- https://pkg.go.dev/vuln/GO-2023-2102 advisory
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487 advisory