RHSA-2023:6251

Vulnerability from csaf_redhat - Published: 2023-11-01 16:14 - Updated: 2026-02-15 19:05
Summary
Red Hat Security Advisory: OpenShift Virtualization 4.11.7 Images security and bug fix update

Notes

Topic
Red Hat OpenShift Virtualization release 4.11.7 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift Virtualization 4.11.7 images. Security Fix(es): * golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325) * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * 4.11.7 containers (BZ#2246329)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat OpenShift Virtualization release 4.11.7 is now available with updates to packages and images that fix several bugs and add enhancements.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenShift Virtualization is Red Hat\u0027s virtualization solution designed for Red Hat OpenShift Container Platform.\n\nThis advisory contains OpenShift Virtualization 4.11.7 images.\n\nSecurity Fix(es):\n\n* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)\n\n* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)\n\n* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* 4.11.7 containers (BZ#2246329)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:6251",
        "url": "https://access.redhat.com/errata/RHSA-2023:6251"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
        "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
      },
      {
        "category": "external",
        "summary": "2178358",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358"
      },
      {
        "category": "external",
        "summary": "2242803",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
      },
      {
        "category": "external",
        "summary": "2243296",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
      },
      {
        "category": "external",
        "summary": "2246329",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2246329"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6251.json"
      }
    ],
    "title": "Red Hat Security Advisory: OpenShift Virtualization 4.11.7 Images security and bug fix update",
    "tracking": {
      "current_release_date": "2026-02-15T19:05:04+00:00",
      "generator": {
        "date": "2026-02-15T19:05:04+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.1"
        }
      },
      "id": "RHSA-2023:6251",
      "initial_release_date": "2023-11-01T16:14:42+00:00",
      "revision_history": [
        {
          "date": "2023-11-01T16:14:42+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-11-01T16:14:42+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-02-15T19:05:04+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "CNV 4.11 for RHEL 8",
                "product": {
                  "name": "CNV 4.11 for RHEL 8",
                  "product_id": "8Base-CNV-4.11",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:container_native_virtualization:4.11::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "OpenShift Virtualization"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
                "product": {
                  "name": "container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
                  "product_id": "container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/checkup-framework\u0026tag=v4.11.7-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
                "product": {
                  "name": "container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
                  "product_id": "container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/hostpath-csi-driver\u0026tag=v4.11.7-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
                "product": {
                  "name": "container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
                  "product_id": "container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/hostpath-csi-driver-rhel8\u0026tag=v4.11.7-5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
                  "product_id": "container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-console-plugin\u0026tag=v4.11.7-7"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
                  "product_id": "container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm\u0026tag=v4.11.7-12"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
                  "product_id": "container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-tekton-tasks-copy-template\u0026tag=v4.11.7-12"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
                  "product_id": "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-tekton-tasks-create-datavolume\u0026tag=v4.11.7-12"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
                  "product_id": "container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template\u0026tag=v4.11.7-12"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
                  "product_id": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize\u0026tag=v4.11.7-12"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
                  "product_id": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep\u0026tag=v4.11.7-12"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
                  "product_id": "container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template\u0026tag=v4.11.7-12"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
                  "product_id": "container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-tekton-tasks-operator\u0026tag=v4.11.7-6"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
                "product": {
                  "name": "container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
                  "product_id": "container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status\u0026tag=v4.11.7-12"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64",
                "product": {
                  "name": "container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64",
                  "product_id": "container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8?arch=amd64\u0026repository_url=registry.redhat.io/container-native-virtualization/vm-network-latency-checkup\u0026tag=v4.11.7-5"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64"
        },
        "product_reference": "container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64"
        },
        "product_reference": "container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64"
        },
        "product_reference": "container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64"
        },
        "product_reference": "container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64 as a component of CNV 4.11 for RHEL 8",
          "product_id": "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
        },
        "product_reference": "container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64",
        "relates_to_product_reference": "8Base-CNV-4.11"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Philippe Antoine"
          ],
          "organization": "Catena Cyber"
        }
      ],
      "cve": "CVE-2022-41723",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-03-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2178358"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in golang. A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of requests.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Within OpenShift Container Platform, the maximum impact of this vulnerability is a denial of service against an individual container so the impact could not cascade across the entire infrastructure, this vulnerability is rated Moderate impact.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
          "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
          "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
          "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41723"
        },
        {
          "category": "external",
          "summary": "RHBZ#2178358",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178358"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41723",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41723"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41723"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h",
          "url": "https://github.com/advisories/GHSA-vvpx-j8f3-3w6h"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/468135",
          "url": "https://go.dev/cl/468135"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/468295",
          "url": "https://go.dev/cl/468295"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/57855",
          "url": "https://go.dev/issue/57855"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
          "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-1571",
          "url": "https://pkg.go.dev/vuln/GO-2023-1571"
        },
        {
          "category": "external",
          "summary": "https://vuln.go.dev/ID/GO-2023-1571.json",
          "url": "https://vuln.go.dev/ID/GO-2023-1571.json"
        }
      ],
      "release_date": "2023-02-17T14:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-11-01T16:14:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
            "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6251"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
            "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding"
    },
    {
      "cve": "CVE-2023-39325",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-10-10T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2243296"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the `Rapid Reset Attack` in the Go language packages.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This CVE is related to CVE-2023-44487.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nAs go-lang vendors its dependencies, a package may contain a library with a known vulnerability, solely because of lower tier libraries including it as a part of its dependencies, but the vulnerable code is not reachable at runtime. In such cases the issue is not exploitable. We classify these situations as \u201cNot affected\u201d or \u201cWill not fix,\u201d depending on the risk of breaking other unrelated packages.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
          "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
          "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
          "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
        ],
        "known_not_affected": [
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "RHBZ#2243296",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2243296"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-003",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-39325",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39325"
        },
        {
          "category": "external",
          "summary": "https://access.redhat.com/security/cve/CVE-2023-44487",
          "url": "https://access.redhat.com/security/cve/CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/63417",
          "url": "https://go.dev/issue/63417"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-2102",
          "url": "https://pkg.go.dev/vuln/GO-2023-2102"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
          "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
        }
      ],
      "release_date": "2023-10-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-11-01T16:14:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
            "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6251"
        },
        {
          "category": "workaround",
          "details": "The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
          "product_ids": [
            "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
            "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
            "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)"
    },
    {
      "cve": "CVE-2023-44487",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-10-09T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
            "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2242803"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption. Red Hat has rated the severity of this flaw as \u0027Important\u0027 as the US Cybersecurity and Infrastructure Security Agency (CISA) declared this vulnerability an active exploit.\r\n\r\nCVE-2023-39325 was assigned for the Rapid Reset Attack in the Go language packages.\r\n\r\nSecurity Bulletin\r\nhttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "NGINX has been marked as Moderate Impact because, for performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive.\n\nThe majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a \"Moderate\" level of impact.\n\nrhc component is no longer impacted by CVE-2023-44487 \u0026 CVE-2023-39325.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64"
        ],
        "known_not_affected": [
          "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
          "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
          "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
          "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
          "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "RHBZ#2242803",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242803"
        },
        {
          "category": "external",
          "summary": "RHSB-2023-003",
          "url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-44487",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://github.com/dotnet/announcements/issues/277",
          "url": "https://github.com/dotnet/announcements/issues/277"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-2102",
          "url": "https://pkg.go.dev/vuln/GO-2023-2102"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487",
          "url": "https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487"
        },
        {
          "category": "external",
          "summary": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/",
          "url": "https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2023-10-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-11-01T16:14:42+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6251"
        },
        {
          "category": "workaround",
          "details": "Users are strongly urged to update their software as soon as fixes are available. \nThere are several mitigation approaches for this flaw. \n\n1. If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.\n2. IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.\n3. Several package specific mitigations are also available. \n     a. nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/\n     b. netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p\n     c. haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487\n     d. nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg\n     e. golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.",
          "product_ids": [
            "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
            "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-CNV-4.11:container-native-virtualization/checkup-framework@sha256:7a9443d47b8f954670ff3a8f0196f26a3a7bb4b16d2c3469a22d01172f31fc26_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver-rhel8@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/hostpath-csi-driver@sha256:20488cf9f269a34be9a3d82e04a28b598b26be0a495f51a47a8dba02f7e9d974_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-console-plugin@sha256:3ff40d3759ea6c50aeb143a5aff6f798611267452eb8111361ef9e0a89260bf5_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-cleanup-vm@sha256:8c7d9751d790df2471a9e8606afcb2880b800ec713a089b2a801df247a0f3fec_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-copy-template@sha256:f4b0b6daf093a75fcd8d4cc61496a316f86899e8ce4217e9f761def5f9d0e794_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-datavolume@sha256:33a16329639f805c0d75a0ed6fe699755938f602230104715c0ad3b545aaf7fa_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-create-vm-from-template@sha256:caed594ab506d7cf550130d927b68bdcfb3707b8464f2d18da468d9b884c3017_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-customize@sha256:4980e6eeadf62bedffff98982f0f5b5e426b0ab01867057dba027e87f9557ce4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-disk-virt-sysprep@sha256:254f671bc0443d32ba60cfafa4ed4592c2030270b160c1e7b1d302d797bd9a82_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-modify-vm-template@sha256:69ceb3d47f3c8c32abcca8ec5ad7ebce42ce64e8200f77c1b829c2cb5495c478_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-operator@sha256:ec2ac2bedd9f14ff0fbdfe3844d67f1361d59eb379ef6dfcd0fa5727635bdea4_amd64",
            "8Base-CNV-4.11:container-native-virtualization/kubevirt-tekton-tasks-wait-for-vmi-status@sha256:a1fac42b6bf868c20ad974a0409cd62e68be20ea9e4ca5ff4ebc211bb9dc85ab_amd64",
            "8Base-CNV-4.11:container-native-virtualization/vm-network-latency-checkup@sha256:9d28ad64ab3d2858ce9b1144a77816cc1ae07f53b37599fc24609a9429c0a0b8_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2023-10-10T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.