Bug 2279365 (CVE-2024-4438) - CVE-2024-4438 etcd: Incomplete fix for CVE-2023-39325/CVE-2023-44487 in OpenStack Platform
Summary: CVE-2024-4438 etcd: Incomplete fix for CVE-2023-39325/CVE-2023-44487 in OpenS...
Keywords:
Status: NEW
Alias: CVE-2024-4438
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2279366 2279367 2279368
Blocks: 2279354
TreeView+ depends on / blocked
 
Reported: 2024-05-06 17:27 UTC by Marco Benatto
Modified: 2024-05-29 14:33 UTC (History)
9 users (show)

Fixed In Version: golang 1.21.3, golang 1.20.10
Doc Type: If docs needed, set a value
Doc Text:
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2023-39325/CVE-2023-44487, known as Rapid Reset. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:3469 0 None None None 2024-05-29 14:33:03 UTC
Red Hat Product Errata RHSA-2024:2729 0 None None None 2024-05-22 20:39:06 UTC
Red Hat Product Errata RHSA-2024:3352 0 None None None 2024-05-23 15:26:16 UTC
Red Hat Product Errata RHSA-2024:3467 0 None None None 2024-05-29 13:30:50 UTC

Description Marco Benatto 2024-05-06 17:27:12 UTC
The etcd package distributed with Red Hat OpenStack platform has been identified to have an incomplete fix for CVE-2023-39325/CVE-2023-44487 (a.k.a Rapid Reset). This happens because the etcd package in Red Hat OpenStack platform is using the http://golang.org/x/net/http2 instead the one provided by the Red Hat Enterprise linux versions, meaning it should be updated at compile time instead.

Comment 2 errata-xmlrpc 2024-05-22 20:39:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2024:2729 https://access.redhat.com/errata/RHSA-2024:2729

Comment 3 errata-xmlrpc 2024-05-23 15:26:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2024:3352 https://access.redhat.com/errata/RHSA-2024:3352

Comment 4 errata-xmlrpc 2024-05-29 13:30:49 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2024:3467 https://access.redhat.com/errata/RHSA-2024:3467


Note You need to log in before you can comment on or make changes to this bug.