Incomplete Fix for CVE-2023-39325/CVE-2023-44487 in Red Hat OpenStack Platform

CVE-2024-4438

7.5HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Openstack Platform 16.1; Red Hat Openstack Platform 16.2; Red Hat Openstack Platform 17.1 For Rhel 9; Red Hat Openstack Platform 18.0
Vendor: CVE Published:; 8 May 2024

Summary

The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2023-39325/CVE-2023-44487, known as Rapid Reset. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.

Affected Version(s)

Red Hat OpenStack Platform 16.1 <= 0:3.3.23-16.el8ost

Red Hat OpenStack Platform 16.2 <= 0:3.3.23-16.el8ost

Red Hat OpenStack Platform 17.1 for RHEL 9 <= 0:3.4.26-8.el9ost

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 7.5 - (HIGH)
May 8, 2024
Vulnerability published.
May 8, 2024
Reported to Red Hat.
May 6, 2024
Vulnerability Reserved.
May 2, 2024

Collectors

NVD DatabaseMitre Database