Thanks to visit codestin.com
Credit goes to github.com

Skip to content

CVE-2023-44487 - Denial of Service (DoS) vulnerability in io.netty:netty-codec-http2 #23949

New issue
New issue
Closed
#24114
#24115
Closed
CVE-2023-44487 - Denial of Service (DoS) vulnerability in io.netty:netty-codec-http2#23949
#24114
#24115
Labels
area/dist/quarkuskind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedteam/cloud-native
Milestone
22.0.5
@mvk37

Description

@mvk37
mvk37
opened on Oct 12, 2023

Before reporting an issue

Area

dist/quarkus

Describe the bug

CVE-2023-44487 - HTTP/2 Rapid Reset Attack. Vulnerability in HTTP/2 protocol which allows relatively easy organize Denial Of Service attack.

netty-codec-http2 4.1.94 package included into Keycloak 22.0.4 is vulnerable. Fixed in netty-codec-http2 4.1.100: GHSA-xpw8-rcwv-8f8p (Netty mitigated this vulnerability as a Moderate but RedHat as Important. RedHat mitigation looks more correct).

Please upgrade Keycloak and check if any other packages could contribute to this issue.

Version

22.0.4

Expected behavior

Keycloak is not vulnerable

Actual behavior

Vulnerable package exist

How to Reproduce?

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/dist/quarkuskind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedteam/cloud-native

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions