SB2023120535 - Multiple vulnerabilities in Red Hat Integration - Service Registry 2.5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023120535

SB2023120535 - Multiple vulnerabilities in Red Hat Integration - Service Registry 2.5

Published: December 5, 2023 Updated: December 6, 2024

Security Bulletin ID SB2023120535
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

High 20% Medium 60% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2023-44487)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".

Note, the vulnerability is being actively exploited in the wild.


2) Security features bypass (CVE-ID: CVE-2023-4853)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to implemented HTTP security policies do not correctly sanitize certain character permutations, which may result in incorrect evaluation of permissions. A remote attacker can bypass the security policy altogether and gain unauthorized access to endpoints or perform a denial of service (DoS) attack.


3) Resource exhaustion (CVE-ID: CVE-2023-34462)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources if no idle timeout handler was configured. A remote attacker can send a client hello packet, which leads the server to buffer up to 16MB of data per connection and results in a denial of service condition.


4) Resource exhaustion (CVE-ID: CVE-2023-34455)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


5) Cleartext transmission of sensitive information (CVE-ID: CVE-2023-1584)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to Quarkus OIDC can leak both ID and access tokens in the authorization code flow when an insecure HTTP protocol is used. A remote attacker  can gain access to potentially sensitive information.


Remediation

Install update from vendor's website.

References