CVE-2024-4438: Incomplete Fix for Rapid Reset Vulnerability in Red Hat OpenStack Platform's etcd Package Requires Urgent Attention

CVE-2024-4438 has been recently published, alerting users of the Red Hat OpenStack Platform to a serious issue in their etcd package. It turns out that the package is still vulnerable to the Rapid Reset attack, even though a fix for CVE-2023-39325 and CVE-2023-44487 was released. The vulnerability arises from the fact that the etcd package in the Red Hat OpenStack platform is using an outdated dependency from http://golang.org/x/net/http2, which means the true fix needs to address this dependency at compile time. Given the critical nature of this issue, we urge all users of the affected systems to take immediate action.

The Rapid Reset (CVE-2023-39325 and CVE-2023-44487)

The Rapid Reset vulnerability is a security issue that allows an attacker to conduct denial of service attacks by exploiting the way certain systems handle rapid resets of HTTP/2 connections. Essentially, the attacker can overwhelm the target server by continually resetting the connection. Original references for this attack can be found at:

1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39325
2. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487

The incomplete fix in the etcd package

While the fix for Rapid Reset was released for the overall Red Hat Enterprise Linux, the etcd package distributed with the Red Hat OpenStack platform uses its own version of the golang.org/x/net/http2 dependency instead of the one provided by Red Hat Enterprise Linux. This is the crux of the issue, as it means the fix has not been applied to the etcd package.

Here's an example code snippet to illustrate the problem

// Vulnerable etcd package
import (
    "github.com/coreos/etcd"
    "golang.org/x/net/http2" // This line imports the vulnerable library
)

func main() {
    // ...
    http2.ConfigureServer(server, &http2.Server{})
    // ...
}

It should be noted that the fix must be applied at the time of compilation, which is a crucial aspect often overlooked.

Users of the Red Hat OpenStack Platform should take the following actions as soon as possible

1. Update the etcd package to the latest version available from Red Hat, which should have the necessary fixes applied.
2. Ensure that all future installations or updates of the etcd package use the modified version of the etcd package that properly implements the fix.

The recommended solution can be found in the Red Hat Bugzilla report. It provides the necessary instructions to locate and install the updated etcd package.

Conclusion

CVE-2024-4438 is a critical security issue that requires urgent attention from users of the Red Hat OpenStack Platform. By ensuring the correct version of the etcd package is installed and addressing the issue at compile time, one can effectively mitigate the risks posed by this vulnerability.

Timeline

Published on: 05/08/2024 09:15:09 UTC
Last modified on: 06/04/2024 17:54:33 UTC