operatorfabric-core icon indicating copy to clipboard operation
operatorfabric-core copied to clipboard

Published 20 hours ago verified publisher icon opfab

CVE-2023-44487 (High) detected in netty-codec-http2-4.1.96.Final.jar, armeria-1.25.2.jar

Open mend-bolt-for-github[bot] opened this issue 2 years ago • 0 comments

CVE-2023-44487 - High Severity Vulnerability

Vulnerable Libraries - netty-codec-http2-4.1.96.Final.jar, armeria-1.25.2.jar

netty-codec-http2-4.1.96.Final.jar

Library home page: https://netty.io/

Path to dependency file: /src/test/api/karate/karateTests.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.96.Final/cc8baf4ff67c1bcc0cde60bc5c2bb9447d92d9e6/netty-codec-http2-4.1.96.Final.jar

Dependency Hierarchy:

  • karate-junit5-1.4.1.jar (Root Library)
    • karate-core-1.4.1.jar
      • armeria-1.25.2.jar
        • :x: netty-codec-http2-4.1.96.Final.jar (Vulnerable Library)
armeria-1.25.2.jar

Asynchronous HTTP/2 RPC/REST client/server library built on top of Java 8, Netty, Thrift and gRPC (armeria)

Library home page: https://armeria.dev/

Path to dependency file: /src/test/api/karate/karateTests.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.25.2/f0fc50faf4caaa6954ed1735744e30e66a679a4e/armeria-1.25.2.jar

Dependency Hierarchy:

  • karate-junit5-1.4.1.jar (Root Library)
    • karate-core-1.4.1.jar
      • :x: armeria-1.25.2.jar (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] avatar Oct 11 '23 09:10 mend-bolt-for-github[bot]