Jonathan Looney

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 8u361, 8u361-perf, 11.0.18, 17.0.6, 20 Oracle GraalVM Enterprise Edition versions 20.3.9, 21.3.5, 22.3.1 **Description** The issue is related to insufficient input validation in the JSSE component of Oracle Java SE and Oracle GraalVM Enterprise Edition. This can be exploited by an unauthenticated attacker with network access via HTTPS, potentially leading to a hang or frequently repeatable crash of the system. The vulnerability applies to Java deployments that load and run untrusted code, relying on the Java sandbox for security. It can also be exploited through APIs in the specified component, for example, via a web service supplying data to the APIs. **Recommendations** For Oracle Java SE versions 8u361, 8u361-perf, 11.0.18, 17.0.6, 20: update to a version that includes the fix for this issue. For Oracle GraalVM Enterprise Edition versions 20.3.9, 21.3.5, 22.3.1: update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the JSSE component until a patch is available. Avoid using APIs in the JSSE component that may supply data to untrusted sources until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HTTP/2 implementations (affected versions not specified) golang.org/x/net/http2 (affected versions not specified) Arista’s EOS (affected versions not specified) Arista’s CloudVision Portal (affected versions not specified) Access Points with OpenConfig interface enabled (affected versions not specified) **Description** Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST STREAM frames from the peer. Depending on how the peer queues the RST STREAM frames, this can consume excess memory, CPU, or both. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes. **Recommendations** For HTTP/2 implementations, consider disabling the HTTP/2 protocol until a patch is available. For golang.org/x/net/http2, update to a version that includes the fix for the reset flood vulnerability. For Arista’s EOS, disable TerminAttr and OpenConfig services if they are enabled. For Arista’s CloudVision Portal, restrict access to the ingest component in the CVP Backend. For Access Points with OpenConfig interface enabled, disable the OpenConfig interface unless explicitly needed. As a temporary workaround, consider limiting the total number of internal error resets emitted by default before the connection is closed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HTTP/2 implementations (affected versions not specified) golang.org/x/net/http2 (affected versions not specified) Arista EOS (with TerminAttr and OpenConfig enabled) Arista CloudVision Portal (ingest component in the CVP Backend) Arista Wi-Fi software (Access Points with OpenConfig interface enabled) **Description** Some HTTP/2 implementations are vulnerable to ping floods and reset floods, potentially leading to a denial of service. An attacker can send continual pings or invalid requests to an HTTP/2 peer, causing the peer to build an internal queue of responses or RST STREAM frames. This can consume excess CPU, memory, or both, potentially leading to a crash. The vulnerability can be exploited by a remote attacker, allowing them to cause a denial of service. **Recommendations** For HTTP/2 implementations, consider disabling the ping flood and reset flood features until a patch is available. For golang.org/x/net/http2, restrict access to the affected package until a patch is available. For Arista EOS, disable TerminAttr and OpenConfig services until a patch is available. For Arista CloudVision Portal, restrict access to the ingest component in the CVP Backend until a patch is available. For Arista Wi-Fi software, disable the OpenConfig interface on Access Points until a patch is available. As a temporary workaround, consider restricting the amount of memory and CPU allocated to the affected services to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** HTTP/2 implementations (affected versions not specified) **Description** The issue is related to a denial of service vulnerability in some HTTP/2 implementations. An attacker can create multiple request streams and continually shuffle the priority of the streams, causing substantial churn to the priority tree and consuming excess CPU. This can lead to a denial of service. The vulnerability is associated with uncontrolled resource consumption and can be exploited by a remote attacker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** nginx (affected versions not specified) Node.js (affected versions not specified) SwiftNIO (affected versions not specified) **Description** The issue is related to an uncontrolled resource consumption when receiving a header with a length parameter set to zero in HTTP/2 implementations. This can lead to a denial of service. An attacker can exploit this by sending a stream of headers with 0-length header names and 0-length header values, which can cause excess memory consumption as some implementations allocate memory for these headers and keep it alive until the session ends. **Recommendations** For nginx, consider restricting or disabling HTTP/2 support until a patch is available. For Node.js, avoid using HTTP/2 implementations that allocate memory for 0-length headers until a fix is provided. For SwiftNIO, as a temporary workaround, consider disabling the HTTP/2 protocol to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions (affected versions not specified) H2O versions (affected versions not specified) Node.js versions (affected versions not specified) SwiftNIO versions (affected versions not specified) Arista EOS versions (affected versions not specified) Arista CloudVision Portal versions (affected versions not specified) Arista Wi-Fi software versions (affected versions not specified) Ubuntu Linux versions (affected versions not specified) Debian Linux versions (affected versions not specified) F5 BIG-IP Local Traffic Manager versions (affected versions not specified) Fedora versions (affected versions not specified) McAfee Web Gateway versions (affected versions not specified) OpenSUSE Leap versions (affected versions not specified) Oracle GraalVM versions (affected versions not specified) Red Hat Enterprise Linux versions (affected versions not specified) Red Hat JBoss Core Services versions (affected versions not specified) Red Hat JBoss Enterprise Application Platform versions (affected versions not specified) Red Hat OpenShift Container Platform versions (affected versions not specified) Red Hat OpenShift Service Mesh versions (affected versions not specified) Red Hat OpenStack versions (affected versions not specified) Red Hat Quay versions (affected versions not specified) Red Hat Single Sign-On versions (affected versions not specified) Red Hat Software Collections versions (affected versions not specified) Synology DiskStation Manager versions (affected versions not specified) Synology SkyNAS versions (affected versions not specified) Synology VS960HD Firmware versions (affected versions not specified) **Description** The issue is related to errors in the resource consumption control mechanism of the HTTP/2 protocol implementation in various software products. An attacker can exploit this by sending a stream of SETTINGS frames, potentially leading to a denial of service due to excessive CPU or memory consumption. The vulnerability can be exploited by continually sending data, causing affected components to consume large amounts of memory and potentially leading to an out-of-memory condition. **Recommendations** For Apache Traffic Server, consider disabling the HTTP/2 protocol until a patch is available. For H2O, restrict access to the HTTP/2 implementation to minimize the risk of exploitation. For Node.js, avoid using the HTTP/2 protocol in affected versions until the issue is resolved. For SwiftNIO, consider disabling the HTTP/2 protocol until a patch is available. For Arista EOS, disable TerminAttr and OpenConfig services if they are not necessary. For Arista CloudVision Portal, restrict access to the ingest component in the CVP Backend. For Arista Wi-Fi software, disable the OpenConfig interface on Access Points unless explicitly needed. For all other affected products, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.4.182 Linux kernel versions prior to 4.9.182 Linux kernel versions prior to 4.14.127 Linux kernel versions prior to 4.19.52 Linux kernel versions prior to 5.1.11 **Description** The issue is related to an integer overflow in the Linux kernel when handling TCP Selective Acknowledgments (SACKs). A remote attacker could use this to cause a denial of service by sending a specially crafted sequence of SACK packets. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. The vulnerability is related to the `TCP SKB CB(skb)->tcp gso segs` value. **Recommendations** For Linux kernel versions prior to 4.4.182, update to version 4.4.182 or later. For Linux kernel versions prior to 4.9.182, update to version 4.9.182 or later. For Linux kernel versions prior to 4.14.127, update to version 4.14.127 or later. For Linux kernel versions prior to 4.19.52, update to version 4.19.52 or later. For Linux kernel versions prior to 5.1.11, update to version 5.1.11 or later. As a temporary workaround, consider restricting the use of TCP Selective Acknowledgments (SACKs) until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.4.182 Linux kernel versions prior to 4.9.182 Linux kernel versions prior to 4.14.127 Linux kernel versions prior to 4.19.52 Linux kernel versions prior to 5.1.11 **Description** The issue is related to the TCP retransmission queue implementation in the Linux kernel when handling certain TCP Selective Acknowledgment (SACK) sequences. A remote attacker could exploit this to cause a denial of service by sending a specially crafted sequence of SACK packets, leading to resource exhaustion. **Recommendations** For Linux kernel versions prior to 4.4.182, update to version 4.4.182 or later. For Linux kernel versions prior to 4.9.182, update to version 4.9.182 or later. For Linux kernel versions prior to 4.14.127, update to version 4.14.127 or later. For Linux kernel versions prior to 4.19.52, update to version 4.19.52 or later. For Linux kernel versions prior to 5.1.11, update to version 5.1.11 or later.

**Name of the Vulnerable Software and Affected Versions** HTTP/2 implementations (affected versions not specified) nginx (affected versions not specified) Node.js (affected versions not specified) Apache HTTP Server (affected versions not specified) Windows (affected versions not specified) **Description** The issue is related to window size manipulation and stream prioritization manipulation in HTTP/2 implementations, potentially leading to a denial of service. An attacker can request a large amount of data from a specified resource over multiple streams, manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. This can consume excess CPU, memory, or both, depending on how efficiently the data is queued. **Recommendations** For HTTP/2 implementations, consider disabling the HTTP/2 protocol until a patch is available. For nginx, restrict access to the HTTP/2 module to minimize the risk of exploitation. For Node.js, avoid using the HTTP/2 module in production environments until the issue is resolved. For Apache HTTP Server, consider disabling the HTTP/2 protocol or restricting access to the affected module to minimize the risk of exploitation. For Windows, apply configuration changes to restrict the use of HTTP/2 or disable it temporarily until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Traffic Server versions (affected versions not specified) Apache HTTP Server versions (affected versions not specified) Node.js versions (affected versions not specified) **Description** The issue is related to errors in the mechanism controlling resource expenditure in HTTP/2 implementations, potentially leading to a denial of service. An attacker can exploit this by opening the HTTP/2 window, allowing the peer to send without constraint, while keeping the TCP window closed, preventing the peer from writing bytes on the wire. The attacker then sends a stream of requests for a large response object, which can consume excess memory, CPU, or both, depending on how servers queue responses. **Recommendations** For Apache Traffic Server, update to a version that includes a fix for the HTTP/2 implementation issue. For Apache HTTP Server, consider disabling the HTTP/2 protocol until a patch is available. For Node.js, restrict access to the HTTP/2 module to minimize the risk of exploitation. As a temporary workaround, consider limiting the size of response objects to prevent excessive memory or CPU consumption. Avoid using the `HTTP/2` protocol in affected versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.4.182 Linux kernel versions prior to 4.9.182 Linux kernel versions prior to 4.14.127 Linux kernel versions prior to 4.19.52 Linux kernel versions prior to 5.1.11 **Description** The issue is caused by the Linux kernel's default Maximum Segment Size (MSS) being hard-coded to 48 bytes, allowing a remote peer to fragment TCP resend queues more significantly than if a larger MSS were enforced. This can be exploited by a remote attacker to cause a denial of service by sending a specially crafted sequence of TCP packets. **Recommendations** For Linux kernel versions prior to 4.4.182, update to version 4.4.182 or later. For Linux kernel versions prior to 4.9.182, update to version 4.9.182 or later. For Linux kernel versions prior to 4.14.127, update to version 4.14.127 or later. For Linux kernel versions prior to 4.19.52, update to version 4.19.52 or later. For Linux kernel versions prior to 5.1.11, update to version 5.1.11 or later.

**Name of the Vulnerable Software and Affected Versions** XNU in Apple iOS versions prior to 9 **Description** The issue is related to the improper validation of TCP packet headers, which can be exploited by remote attackers to disrupt TCP connections, causing a denial of service. This is achieved by sending a crafted TCP packet header. The estimated number of potentially affected devices is not specified. **Recommendations** For versions prior to 9, update to a version 9 or later to resolve the issue. As a temporary workaround, consider restricting network access to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Juniper Junos OS versions 12.1X44 before 12.1X44-D50 Juniper Junos OS versions 12.1X46 before 12.1X46-D35 Juniper Junos OS versions 12.1X47 before 12.1X47-D25 Juniper Junos OS versions 12.3 before 12.3R9 Juniper Junos OS versions 12.3X48 before 12.3X48-D15 Juniper Junos OS versions 13.2 before 13.2R7 Juniper Junos OS versions 13.2X51 before 13.2X51-D35 Juniper Junos OS versions 13.2X52 before 13.2X52-D25 Juniper Junos OS versions 13.3 before 13.3R6 Juniper Junos OS versions 14.1R3 before 14.1R3-S2 Juniper Junos OS versions 14.1 before 14.1R4 Juniper Junos OS versions 14.1X53 before 14.1X53-D16 Juniper Junos OS versions 14.1X55 before 14.1X55-D25 Juniper Junos OS versions 14.2 before 14.2R2 Juniper Junos OS versions 15.1 before 15.1R1 **Description** The issue allows remote attackers to cause a denial of service by consuming mbuf and connections, leading to a restart, via a large number of requests that trigger a TCP connection to move to the LAST ACK state when there is more data to send. **Recommendations** For Juniper Junos OS versions 12.1X44 before 12.1X44-D50, update to version 12.1X44-D50 or later. For Juniper Junos OS versions 12.1X46 before 12.1X46-D35, update to version 12.1X46-D35 or later. For Juniper Junos OS versions 12.1X47 before 12.1X47-D25, update to version 12.1X47-D25 or later. For Juniper Junos OS versions 12.3 before 12.3R9, update to version 12.3R9 or later. For Juniper Junos OS versions 12.3X48 before 12.3X48-D15, update to version 12.3X48-D15 or later. For Juniper Junos OS versions 13.2 before 13.2R7, update to version 13.2R7 or later. For Juniper Junos OS versions 13.2X51 before 13.2X51-D35, update to version 13.2X51-D35 or later. For Juniper Junos OS versions 13.2X52 before 13.2X52-D25, update to version 13.2X52-D25 or later. For Juniper Junos OS versions 13.3 before 13.3R6, update to version 13.3R6 or later. For Juniper Junos OS versions 14.1R3 before 14.1R3-S2, update to version 14.1R3-S2 or later. For Juniper Junos OS versions 14.1 before 14.1R4, update to version 14.1R4 or later. For Juniper Junos OS versions 14.1X53 before 14.1X53-D16, update to version 14.1X53-D16 or later. For Juniper Junos OS versions 14.1X55 before 14.1X55-D25, update to version 14.1X55-D25 or later. For Juniper Junos OS versions 14.2 before 14.2R2, update to version 14.2R2 or later. For Juniper Junos OS versions 15.1 before 15.1R1, update to version 15.1R1 or later.