grafana-9.0.9-4.el9.ML.1
エラータID: AXSA:2023-6532:09
リリース日:
2023/10/23 Monday - 07:53
題名:
grafana-9.0.9-4.el9.ML.1
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- Go の HTTP/2 クライアント機能には、接続先のサーバーに対して意図
しないリソースを消費させてしまう問題があるため、リモートの攻撃者
により、細工された Go アプリケーションからの新規の多重ストリーム
のリクエストと RST_STREAM フレームによるリクエストのキャンセル
の送信を介して、サービス拒否攻撃 (リソース枯渇) を可能とする脆弱性
が存在します。(CVE-2023-39325)
- HTTP/2 プロトコルには、意図しないリソースの消費に至る問題がある
ため、リモートの攻撃者により、新規の多重ストリームのリクエストと
RST_STREAM フレームによるリクエストのキャンセルの送信を介して、
サービス拒否攻撃 (リソース枯渇) を可能とする脆弱性が存在します。
(CVE-2023-44487)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-39325
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
追加情報:
N/A
ダウンロード:
SRPMS
- grafana-9.0.9-4.el9.ML.1.src.rpm
MD5: a6e4b11f8e68aecee88ed535c7e91494
SHA-256: b3cb83f21c0423887fa666ad90f9b1e6b29ac1c338826ec9e121df944ed220bf
Size: 268.78 MB
Asianux Server 9 for x86_64
- grafana-9.0.9-4.el9.ML.1.x86_64.rpm
MD5: 6da1f5cc7911621343a0f7b606318634
SHA-256: 8957132ba565ee558f3444c2a3d12d9a6db1e13c0e74a8826004f35b8a01760e
Size: 61.34 MB
English