IP Header Disclosure Vulnerability in Katran by Facebook
CVE-2023-49062
7.5HIGH
What is CVE-2023-49062?
Katran, a load balancer developed by Facebook, has a vulnerability that allows for the disclosure of non-initialized kernel memory as part of an IP header. This issue affects IPv4 encapsulation and the generation of ICMP packets labeled 'Too Big'. Specifically, the vulnerability is triggered when the bpf_xdp_adjust_head function is called, which fails to properly initialize the Identification field in the IPv4 header. As a result, sensitive kernel memory data could be inadvertently written to this field, creating a security risk across all Katran versions released before the relevant code fix.
Affected Version(s)
Katran 0 < 6a03106ac1eab39d0303662963589ecb2374c97f