NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

Remediation

Upgrade Ubuntu:18.04 expat to version 2.2.5-3ubuntu0.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-25236
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
• http://packetstormsecurity.com/files/167238/Zoom-XMPP-Stanza-Smuggling-Remote-Code-Execution.html
• http://www.openwall.com/lists/oss-security/2022/02/19/1
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://github.com/libexpat/libexpat/pull/561
• https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
• https://security.gentoo.org/glsa/202209-24
• https://security.netapp.com/advisory/ntap-20220303-0008/
• https://www.debian.org/security/2022/dsa-5085
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Remediation

Upgrade Ubuntu:18.04 expat to version 2.2.5-3ubuntu0.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-25235
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
• http://www.openwall.com/lists/oss-security/2022/02/19/1
• https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf
• https://github.com/libexpat/libexpat/pull/562
• https://lists.debian.org/debian-lts-announce/2022/03/msg00007.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UFRBA3UQVIQKXTBUQXDWQOVWNBKLERU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y27XO3JMKAOMQZVPS3B4MJGEAHCZF5OM/
• https://security.gentoo.org/glsa/202209-24
• https://security.netapp.com/advisory/ntap-20220303-0008/
• https://www.debian.org/security/2022/dsa-5085
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream libksba package and not the libksba package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.

Remediation

Upgrade Ubuntu:18.04 libksba to version 1.3.5-2ubuntu0.18.04.1 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3515
• https://access.redhat.com/security/cve/CVE-2022-3515
• https://bugzilla.redhat.com/show_bug.cgi?id=2135610
• https://dev.gnupg.org/rK4b7d9cd4a018898d7714ce06f3faf2626c14582b
• https://security.netapp.com/advisory/ntap-20230706-0008/
• https://www.gnupg.org/blog/20221017-pepe-left-the-ksba.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

Remediation

Upgrade Ubuntu:18.04 openssl to version 1.1.1-1ubuntu2.1~18.04.13 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-3711
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46
• https://security.netapp.com/advisory/ntap-20210827-0010/
• https://www.openssl.org/news/secadv/20210824.txt
• https://www.tenable.com/security/tns-2021-16
• https://www.debian.org/security/2021/dsa-4963
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1@%3Cdev.tomcat.apache.org%3E
• http://www.openwall.com/lists/oss-security/2021/08/26/2
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=59f5e75f3bced8fc0e130d72a3f582cf7b480b46
• https://lists.apache.org/thread.html/r18995de860f0e63635f3008fd2a6aca82394249476d21691e7c59c9e%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rad5d9f83f0d11fb3f8bb148d179b8a9ad7c6a17f18d70e5805a713d1%40%3Cdev.tomcat.apache.org%3E
• https://security.gentoo.org/glsa/202209-02
• https://security.gentoo.org/glsa/202210-02
• https://security.netapp.com/advisory/ntap-20211022-0003/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.tenable.com/security/tns-2022-02

NVD Description

Note: Versions mentioned in the description apply only to the upstream cyrus-sasl2 package and not the cyrus-sasl2 package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

Remediation

Upgrade Ubuntu:18.04 cyrus-sasl2 to version 2.1.27~101-g0780600+dfsg-3ubuntu2.4 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-24407
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/
• http://www.openwall.com/lists/oss-security/2022/02/23/4
• https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5b4a3ac/docsrc/sasl/release-notes/2.1/index.rst
• https://lists.debian.org/debian-lts-announce/2022/03/msg00002.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/
• https://security.netapp.com/advisory/ntap-20221007-0003/
• https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28
• https://www.debian.org/security/2022/dsa-5087
• https://www.oracle.com/security-alerts/cpujul2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream nghttp2 package and not the nghttp2 package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Remediation

Upgrade Ubuntu:18.04 nghttp2 to version 1.30.0-1ubuntu1+esm2 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-44487
• https://chaos.social/@icing/111210915918780532
• https://github.com/hyperium/hyper/issues/3337
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
• https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
• http://www.openwall.com/lists/oss-security/2023/10/10/6
• http://www.openwall.com/lists/oss-security/2023/10/10/7
• https://github.com/grpc/grpc/releases/tag/v1.59.2
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ
• http://www.openwall.com/lists/oss-security/2023/10/13/4
• http://www.openwall.com/lists/oss-security/2023/10/13/9
• http://www.openwall.com/lists/oss-security/2023/10/18/4
• http://www.openwall.com/lists/oss-security/2023/10/18/8
• http://www.openwall.com/lists/oss-security/2023/10/19/6
• http://www.openwall.com/lists/oss-security/2023/10/20/8
• https://access.redhat.com/security/cve/cve-2023-44487
• https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
• https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
• https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
• https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
• https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
• https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
• https://blog.vespa.ai/cve-2023-44487/
• https://bugzilla.proxmox.com/show_bug.cgi?id=4988
• https://bugzilla.redhat.com/show_bug.cgi?id=2242803
• https://bugzilla.suse.com/show_bug.cgi?id=1216123
• https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
• https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
• https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
• https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
• https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
• https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
• https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
• https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
• https://github.com/Azure/AKS/issues/3947
• https://github.com/Kong/kong/discussions/11741
• https://github.com/advisories/GHSA-qppj-fm5r-hxr3
• https://github.com/advisories/GHSA-vx74-f528-fxqg
• https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
• https://github.com/akka/akka-http/issues/4323
• https://github.com/alibaba/tengine/issues/1872
• https://github.com/apache/apisix/issues/10320
• https://github.com/apache/httpd-site/pull/10
• https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
• https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
• https://github.com/apache/trafficserver/pull/10564
• https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
• https://github.com/bcdannyboy/CVE-2023-44487
• https://github.com/caddyserver/caddy/issues/5877
• https://github.com/caddyserver/caddy/releases/tag/v2.7.5
• https://github.com/dotnet/announcements/issues/277
• https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
• https://github.com/eclipse/jetty.project/issues/10679
• https://github.com/envoyproxy/envoy/pull/30055
• https://github.com/etcd-io/etcd/issues/16740
• https://github.com/facebook/proxygen/pull/466
• https://github.com/golang/go/issues/63417
• https://github.com/grpc/grpc-go/pull/6703
• https://github.com/h2o/h2o/pull/3291
• https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
• https://github.com/haproxy/haproxy/issues/2312
• https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
• https://github.com/junkurihara/rust-rpxy/issues/97
• https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
• https://github.com/kazu-yamamoto/http2/issues/93
• https://github.com/kubernetes/kubernetes/pull/121120
• https://github.com/line/armeria/pull/5232
• https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
• https://github.com/micrictor/http2-rst-stream
• https://github.com/microsoft/CBL-Mariner/pull/6381
• https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
• https://github.com/nghttp2/nghttp2/pull/1961
• https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
• https://github.com/ninenines/cowboy/issues/1615
• https://github.com/nodejs/node/pull/50121
• https://github.com/openresty/openresty/issues/930
• https://github.com/opensearch-project/data-prepper/issues/3474
• https://github.com/oqtane/oqtane.framework/discussions/3367
• https://github.com/projectcontour/contour/pull/5826
• https://github.com/tempesta-tech/tempesta/issues/1986
• https://github.com/varnishcache/varnish-cache/issues/3996
• https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
• https://istio.io/latest/news/security/istio-security-2023-004/
• https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
• https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
• https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html
• https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html
• https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html
• https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html
• https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
• https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
• https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
• https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
• https://my.f5.com/manage/s/article/K000137106
• https://netty.io/news/2023/10/10/4-1-100-Final.html
• https://news.ycombinator.com/item?id=37830987
• https://news.ycombinator.com/item?id=37830998
• https://news.ycombinator.com/item?id=37831062
• https://news.ycombinator.com/item?id=37837043
• https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
• https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
• https://security.gentoo.org/glsa/202311-09
• https://security.netapp.com/advisory/ntap-20231016-0001/
• https://security.netapp.com/advisory/ntap-20240426-0007/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://security.netapp.com/advisory/ntap-20240621-0007/
• https://security.paloaltonetworks.com/CVE-2023-44487
• https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
• https://ubuntu.com/security/CVE-2023-44487
• https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
• https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
• https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
• https://www.debian.org/security/2023/dsa-5521
• https://www.debian.org/security/2023/dsa-5522
• https://www.debian.org/security/2023/dsa-5540
• https://www.debian.org/security/2023/dsa-5549
• https://www.debian.org/security/2023/dsa-5558
• https://www.debian.org/security/2023/dsa-5570
• https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
• https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
• https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
• https://www.openwall.com/lists/oss-security/2023/10/10/6
• https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
• https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://github.com/studiogangster/CVE-2023-44487

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Remediation

Upgrade Ubuntu:18.04 openssl to version 1.1.1-1ubuntu2.1~18.04.15 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-0778
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=380085481c64de749a6dd25cdf0bcf4360b30f83
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a466912611aa6cbdf550cd10601390e587451246
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/
• http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html
• http://seclists.org/fulldisclosure/2022/May/33
• http://seclists.org/fulldisclosure/2022/May/35
• http://seclists.org/fulldisclosure/2022/May/38
• https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246
• https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
• https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002
• https://security.gentoo.org/glsa/202210-02
• https://security.netapp.com/advisory/ntap-20220321-0002/
• https://security.netapp.com/advisory/ntap-20220429-0005/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://support.apple.com/kb/HT213255
• https://support.apple.com/kb/HT213256
• https://support.apple.com/kb/HT213257
• https://www.debian.org/security/2022/dsa-5103
• https://www.openssl.org/news/secadv/20220315.txt
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.tenable.com/security/tns-2022-06
• https://www.tenable.com/security/tns-2022-07
• https://www.tenable.com/security/tns-2022-08
• https://www.tenable.com/security/tns-2022-09
• https://github.com/jkakavas/CVE-2022-0778-POC

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Remediation

Upgrade Ubuntu:18.04 openssl to version 1.1.1-1ubuntu2.1~18.04.21 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-0286
• https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.2-relnotes.txt
• https://ftp.openbsd.org/pub/OpenBSD/patches/7.2/common/018_x509.patch.sig
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2f7530077e0ef79d98718138716bc51ca0cad658
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fd2af07dc083a350c959147097003a14a5e8ac4d
• https://security.gentoo.org/glsa/202402-08
• https://www.openssl.org/news/secadv/20230207.txt

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).

Remediation

Upgrade Ubuntu:18.04 openssl to version 1.1.1-1ubuntu2.1~18.04.7 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2020-1971
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f960d81215ebf3f65e03d4d5d857fb9b666d6920
• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44676
• https://security.netapp.com/advisory/ntap-20201218-0005/
• https://security.netapp.com/advisory/ntap-20210513-0002/
• https://www.openssl.org/news/secadv/20201208.txt
• https://www.tenable.com/security/tns-2020-11
• https://www.tenable.com/security/tns-2021-09
• https://www.tenable.com/security/tns-2021-10
• https://www.debian.org/security/2020/dsa-4807
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/
• https://security.FreeBSD.org/advisories/FreeBSD-SA-20:33.openssl.asc
• https://security.gentoo.org/glsa/202012-13
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143@%3Ccommits.pulsar.apache.org%3E
• https://lists.debian.org/debian-lts-announce/2020/12/msg00020.html
• https://lists.debian.org/debian-lts-announce/2020/12/msg00021.html
• http://www.openwall.com/lists/oss-security/2021/09/14/2
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2154ab83e14ede338d2ede9bbe5cdfce5d5a6c9e
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f960d81215ebf3f65e03d4d5d857fb9b666d6920
• https://lists.apache.org/thread.html/r63c6f2dd363d9b514d0a4bcf624580616a679898cc14c109a49b750c%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/rbb769f771711fb274e0a4acb1b5911c8aab544a6ac5e8c12d40c5143%40%3Ccommits.pulsar.apache.org%3E
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGSI34Y5LQ5RYXN4M2I5ZQT65LFVDOUU/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PWPSSZNZOBJU2YR6Z4TGHXKYW3YP5QG7/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.oracle.com/security-alerts/cpuapr2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Remediation

Upgrade Ubuntu:18.04 openssl to version 1.1.1-1ubuntu2.1~18.04.9 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-3449
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-2021-GHY28dJd
• https://cert-portal.siemens.com/productcert/pdf/ssa-772220.pdf
• https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fb9fa6b51defd48157eeb207f52181f735d96148
• https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44845
• https://kc.mcafee.com/corporate/index?page=content&id=SB10356
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0013
• https://security.netapp.com/advisory/ntap-20210326-0006/
• https://security.netapp.com/advisory/ntap-20210513-0002/
• https://www.openssl.org/news/secadv/20210325.txt
• https://www.tenable.com/security/tns-2021-05
• https://www.tenable.com/security/tns-2021-06
• https://www.tenable.com/security/tns-2021-09
• https://www.tenable.com/security/tns-2021-10
• https://www.debian.org/security/2021/dsa-4875
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
• https://security.gentoo.org/glsa/202103-03
• https://security.FreeBSD.org/advisories/FreeBSD-SA-21:07.openssl.asc
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://lists.debian.org/debian-lts-announce/2021/08/msg00029.html
• http://www.openwall.com/lists/oss-security/2021/03/27/1
• http://www.openwall.com/lists/oss-security/2021/03/27/2
• http://www.openwall.com/lists/oss-security/2021/03/28/3
• http://www.openwall.com/lists/oss-security/2021/03/28/4
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
• https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=fb9fa6b51defd48157eeb207f52181f735d96148
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCBFLLVQVILIVGZMBJL3IXZGKWQISYNP/
• https://security.netapp.com/advisory/ntap-20240621-0006/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:18.04 relevant fixed versions and status.

basic/unit-name.c in systemd prior to 246.15, 247.8, 248.5, and 249.1 has a Memory Allocation with an Excessive Size Value (involving strdupa and alloca for a pathname controlled by a local attacker) that results in an operating system crash.

Remediation

Upgrade Ubuntu:18.04 systemd to version 237-3ubuntu10.49 or higher.

References

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2021-33910
• https://www.debian.org/security/2021/dsa-4942
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2LSDMHAKI4LGFOCSPXNVVSEWQFAVFWR7/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/42TMJVNYRY65B4QCJICBYOEIVZV3KUYI/
• https://security.gentoo.org/glsa/202107-48
• http://packetstormsecurity.com/files/163621/Sequoia-A-Deep-Root-In-Linuxs-Filesystem-Layer.html
• https://github.com/systemd/systemd/commit/b34a4f0e6729de292cb3b0c03c1d48f246ad896b
• https://github.com/systemd/systemd/pull/20256/commits/441e0115646d54f080e5c3bb0ba477c892861ab9
• https://github.com/systemd/systemd/releases
• https://github.com/systemd/systemd-stable/commit/4a1c5f34bd3e1daed4490e9d97918e504d19733b
• https://github.com/systemd/systemd-stable/commit/764b74113e36ac5219a4b82a05f311b5a92136ce
• https://github.com/systemd/systemd-stable/commit/b00674347337b7531c92fdb65590ab253bb57538
• https://github.com/systemd/systemd-stable/commit/cfd14c65374027b34dbbc4f0551456c5dc2d1f61
• https://www.openwall.com/lists/oss-security/2021/07/20/2
• http://www.openwall.com/lists/oss-security/2021/08/04/2
• http://www.openwall.com/lists/oss-security/2021/08/17/3
• http://www.openwall.com/lists/oss-security/2021/09/07/3
• https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2LSDMHAKI4LGFOCSPXNVVSEWQFAVFWR7/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TMJVNYRY65B4QCJICBYOEIVZV3KUYI/
• https://security.netapp.com/advisory/ntap-20211104-0008/