Security
Headlines
HeadlinesLatestCVEs

Headline

Debian Security Advisory 5522-2

Debian Linux Security Advisory 5522-2 - The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and caused a regression when using asynchronous I/O (the default for NIO and NIO2). DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated.

Packet Storm
#linux#debian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Debian Security Advisory DSA-5522-2 [email protected]
https://www.debian.org/security/ Markus Koschany
October 12, 2023 https://www.debian.org/security/faq


Package : tomcat9
CVE ID : CVE-2023-44487
Debian Bug : 1053820

The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and
caused a regression when using asynchronous I/O (the default for NIO and NIO2).
DATA frames must be included when calculating the HTTP/2 overhead count to
ensure that connections are not prematurely terminated.

For the oldstable distribution (bullseye), this problem has been fixed
in version 9.0.43-2~deb11u8.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmUoVnpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTdbw/+O6hd6miJKAJtK7QqgsstFL9TdqVLv8cLsOli5tobVkH+G00iXk6umG7E
dzE7xekBXhR3rT/3rFw9AdJAl4wdiy7JySZGVfWWP+vLpBfnXX4tmIy8hCaoFc2d
/IarTTfW9TZ+R166cB16m9UGPNP9beYqvx+kuuQlF4CRV/WWLGcpnZ/hiWb656BW
BBsCh5Ig0BkBOundI44ofcWR2S/+4VQw0tNMEChqOJBkgNSVSD/IO/ia0n4Zy2so
NvWVi7FMAE8xNz1afsjwY9opJXCAHZSKJjzVU9qRPNmwsdJMExP26E73cmSObSZo
cUV95wFA6SFKoo5fWn5WSeC4BVGlXr0jrgE0kQy7NzPBM2KLmsB0l917ejdquHIy
CFoNSmdX+mFJgmvBgtnvR1tFa2VgLZFMROYFSCf39XzBF0XmfiqVc5ejEy6yZRtg
T9a8tA6yux8kzwC7aw+ZFfBfhmRcDt9m3hDlJO39ex7NP8Df9Wk++Jh2bIjj96LQ
FH12q5zr4Dnyk2pG29MJbAgyCtYJrYubJR3XY97UhSva6uBOa92GYLjXjJVfcBQA
UZ7vL2vIlwXF+7b/Xihb9mRAepPCKkHwROUGiFvVXnXNiNYUg84BZ1GhBTFo4M/G
hoyYeUc8HrreGPsGY5dLoTwOqH6hUVnYbcLjwNV885FnH6Ccz78=tl0s
-----END PGP SIGNATURE-----

Related news

Gentoo Linux Security Advisory 202408-10

Gentoo Linux Security Advisory 202408-10 - Multiple vulnerabilities have been discovered in nghttp2, the worst of which could lead to a denial of service. Versions greater than or equal to 1.61.0 are affected.

Red Hat Security Advisory 2024-1458-03

Red Hat Security Advisory 2024-1458-03 - Red Hat OpenShift Container Platform release 4.14.18 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-0485-03

Red Hat Security Advisory 2024-0485-03 - Red Hat OpenShift Container Platform release 4.12.48 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a cross site scripting vulnerability.

Red Hat Security Advisory 2023-7608-03

Red Hat Security Advisory 2023-7608-03 - Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2023-7481-01

Red Hat Security Advisory 2023-7481-01 - Red Hat OpenShift Container Platform release 4.11.54 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7288-01

Red Hat Security Advisory 2023-7288-01 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.

Red Hat Security Advisory 2023-6233-01

Red Hat Security Advisory 2023-6233-01 - Red Hat OpenShift Container Platform low-latency extras release 4.12, which provides an update for cnf-tests-container, performance-addon-operator-must-gather-rhel8-container, NUMA-aware secondary scheduler and numaresources-operator, is now available. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-6202-01

Red Hat Security Advisory 2023-6202-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.8 General Availability release images, which provide security updates and fix bugs. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-6105-01

Red Hat Security Advisory 2023-6105-01 - An update is now available for Red Hat JBoss Core Services. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-6048-01

Red Hat Security Advisory 2023-6048-01 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes new features and bug fixes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5982-01

Red Hat Security Advisory 2023-5982-01 - An update for foreman_ygg_worker, puppet-agent, qpid-proton, and yggdrasil is now available for Satellite Client 6 for RHEL 6, Satellite Client 6 for RHEL 7, Satellite Client 6 for RHEL 8, and Satellite Client 6 for RHEL 9. Issues addressed include code execution and denial of service vulnerabilities.

Red Hat Security Advisory 2023-5974-01

Red Hat Security Advisory 2023-5974-01 - An update for network-observability-console-plugin-container, network-observability-ebpf-agent-container, network-observability-flowlogs-pipeline-container, network-observability-operator-bundle-container, and network-observability-operator-container is now available for NETWORK-OBSERVABILITY-1.4.0-RHEL-9. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5973-01

Red Hat Security Advisory 2023-5973-01 - Red Hat AMQ Streams 2.5.1 is now available from the Red Hat Customer Portal. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5715-01

Red Hat Security Advisory 2023-5715-01 - An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5712-01

Red Hat Security Advisory 2023-5712-01 - An update for the nginx:1.20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5952-01

Red Hat Security Advisory 2023-5952-01 - An update is now available for Red Hat OpenShift Service Mesh 2.4 for RHEL 8.

Red Hat Security Advisory 2023-5946-01

Red Hat Security Advisory 2023-5946-01 - Red Hat AMQ Broker 7.11.3 is now available from the Red Hat Customer Portal. Issues addressed include denial of service and open redirection vulnerabilities.

Red Hat Security Advisory 2023-5929-01

Red Hat Security Advisory 2023-5929-01 - An update for tomcat is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5869-01

Red Hat Security Advisory 2023-5869-01 - An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5851-01

Red Hat Security Advisory 2023-5851-01 - Updated images are now available for Red Hat Advanced Cluster Security (RHACS). The updated image includes new features and bug fixes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5850-01

Red Hat Security Advisory 2023-5850-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5838-01

Red Hat Security Advisory 2023-5838-01 - libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 protocol in C. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5810-01

Red Hat Security Advisory 2023-5810-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Red Hat Security Advisory 2023-5805-01

Red Hat Security Advisory 2023-5805-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5801-01

Red Hat Security Advisory 2023-5801-01 - Migration Toolkit for Runtimes 1.2.1 Images. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5783-01

Red Hat Security Advisory 2023-5783-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.5 serves as a replacement for Red Hat JBoss Web Server 5.7.4. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5710-01

Red Hat Security Advisory 2023-5710-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.

Debian Security Advisory 5522-3

Debian Linux Security Advisory 5522-3 - A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early.

Red Hat Security Advisory 2023-5770-01

Red Hat Security Advisory 2023-5770-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5768-01

Red Hat Security Advisory 2023-5768-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5765-01

Red Hat Security Advisory 2023-5765-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5714-01

Red Hat Security Advisory 2023-5714-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5713-01

Red Hat Security Advisory 2023-5713-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5708-01

Red Hat Security Advisory 2023-5708-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.

Top resources for Cybersecurity Awareness Month

Plus, many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record.

What to know about the HTTP/2 Rapid Reset DDoS attacks

Cisco Talos is actively tracking the novel distributed denial-of-service (DDoS) attacks cloud services provider Cloudflare disclosed earlier this week. The techniques described in Cloudflare’s blog post resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future.  CVE-2023-44487 CVE-2023-44487, a vulnerability in the

CVE-2023-39325: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325) · Issue #63417 · golang/go

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see ...

Debian Security Advisory 5522-1

Debian Linux Security Advisory 5522-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History

By Deeba Ahmed Google, Cloudflare, and AWS Disclosed Digital History’s Largest Ever DDoS Attack- Courtesy HTTP/2 Zero-day. This is a post from HackRead.com Read the original post: Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History

Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September. The two

GHSA-qppj-fm5r-hxr3: swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack

swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.

HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks

Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487,

CVE-2023-44487: CVE-2023-44487 - HTTP/2 Rapid Reset Attack

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

Summary Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution