CVE-2023-41377

Name of the Vulnerable Software and Affected Versions Calico Typha versions 3.26.2 and below Calico Enterprise Typha versions 3.17.1, 3.16.3, 3.15.3 and below

Description In certain conditions, a client TLS handshake can block the Calico Typha server indefinitely, resulting in denial of service. The TLS Handshake() call is performed inside the main server handle for loop without any timeout, allowing an unclean TLS handshake to block the main loop indefinitely while other connections will be idle waiting for that handshake to finish.

Recommendations For Calico Typha versions 3.26.2 and below, consider implementing a timeout for the TLS Handshake() call to prevent indefinite blocking of the main loop. For Calico Enterprise Typha versions 3.17.1, 3.16.3, 3.15.3 and below, consider implementing a timeout for the TLS Handshake() call to prevent indefinite blocking of the main loop. As a temporary workaround, consider restricting access to the Calico Typha server to minimize the risk of exploitation.