Bug 2244707 (CVE-2023-7250, ESNET-SECADV-2023-0002)

Summary: CVE-2023-7250 iperf3: possible denial of service
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dbodnarc
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: iperf-3.15 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2244708    
Bug Blocks: 2244706    

Description Robb Gatica 2023-10-17 21:57:14 UTC 
Reference: http://localhost:5600/static/?#/asm_ticket/102084

Original advisory details: Jorge Sancho Larraz discovered that iperf3 did not properly manage certain inputs, which could cause the server process to stop responding, waiting for input on the control connection. A remote attacker could possibly use this issue to cause a denial of service. (LP: #2038654)
Comment 1 Robb Gatica 2023-10-17 21:57:30 UTC 
Created iperf3 tracking bugs for this issue:

Affects: fedora-all [bug 2244708]