Rapid7 Vulnerability & Exploit Database

Oracle Linux: CVE-2023-39326: ELSA-2024-12226: conmon security update (IMPORTANT) (Multiple Advisories)

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

Oracle Linux: CVE-2023-39326: ELSA-2024-12226: conmon security update (IMPORTANT) (Multiple Advisories)

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
12/06/2023
Created
02/27/2024
Added
02/23/2024
Modified
07/22/2024

Description

A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body. A malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request. Chunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small. A flaw was found in the Golang net/http/internal package. This issue may allow a malicious user to send an HTTP request and cause the receiver to read more bytes from network than are in the body (up to 1GiB), causing the receiver to fail reading the response, possibly leading to a Denial of Service (DoS).

Solution(s)

  • oracle-linux-upgrade-aardvark-dns
  • oracle-linux-upgrade-buildah
  • oracle-linux-upgrade-buildah-tests
  • oracle-linux-upgrade-cockpit-podman
  • oracle-linux-upgrade-conmon
  • oracle-linux-upgrade-containernetworking-plugins
  • oracle-linux-upgrade-containers-common
  • oracle-linux-upgrade-container-selinux
  • oracle-linux-upgrade-cri-o
  • oracle-linux-upgrade-crit
  • oracle-linux-upgrade-cri-tools
  • oracle-linux-upgrade-criu
  • oracle-linux-upgrade-criu-devel
  • oracle-linux-upgrade-criu-libs
  • oracle-linux-upgrade-crun
  • oracle-linux-upgrade-delve
  • oracle-linux-upgrade-etcd
  • oracle-linux-upgrade-flannel-cni-plugin
  • oracle-linux-upgrade-fuse-overlayfs
  • oracle-linux-upgrade-golang
  • oracle-linux-upgrade-golang-bin
  • oracle-linux-upgrade-golang-docs
  • oracle-linux-upgrade-golang-misc
  • oracle-linux-upgrade-golang-src
  • oracle-linux-upgrade-golang-tests
  • oracle-linux-upgrade-go-toolset
  • oracle-linux-upgrade-helm
  • oracle-linux-upgrade-istio
  • oracle-linux-upgrade-istio-istioctl
  • oracle-linux-upgrade-java-11-openjdk
  • oracle-linux-upgrade-kata
  • oracle-linux-upgrade-kata-agent
  • oracle-linux-upgrade-kata-image
  • oracle-linux-upgrade-kata-ksm-throttler
  • oracle-linux-upgrade-kata-proxy
  • oracle-linux-upgrade-kata-runtime
  • oracle-linux-upgrade-kata-shim
  • oracle-linux-upgrade-kubeadm
  • oracle-linux-upgrade-kubectl
  • oracle-linux-upgrade-kubelet
  • oracle-linux-upgrade-kubernetes-cni
  • oracle-linux-upgrade-kubernetes-cni-plugins
  • oracle-linux-upgrade-libslirp
  • oracle-linux-upgrade-libslirp-devel
  • oracle-linux-upgrade-netavark
  • oracle-linux-upgrade-oci-seccomp-bpf-hook
  • oracle-linux-upgrade-olcne-agent
  • oracle-linux-upgrade-olcne-api-server
  • oracle-linux-upgrade-olcne-calico-chart
  • oracle-linux-upgrade-olcnectl
  • oracle-linux-upgrade-olcne-gluster-chart
  • oracle-linux-upgrade-olcne-grafana-chart
  • oracle-linux-upgrade-olcne-istio-chart
  • oracle-linux-upgrade-olcne-kubevirt-chart
  • oracle-linux-upgrade-olcne-metallb-chart
  • oracle-linux-upgrade-olcne-multus-chart
  • oracle-linux-upgrade-olcne-nginx
  • oracle-linux-upgrade-olcne-oci-ccm-chart
  • oracle-linux-upgrade-olcne-olm-chart
  • oracle-linux-upgrade-olcne-prometheus-chart
  • oracle-linux-upgrade-olcne-rook-chart
  • oracle-linux-upgrade-olcne-utils
  • oracle-linux-upgrade-podman
  • oracle-linux-upgrade-podman-catatonit
  • oracle-linux-upgrade-podman-docker
  • oracle-linux-upgrade-podman-gvproxy
  • oracle-linux-upgrade-podman-plugins
  • oracle-linux-upgrade-podman-remote
  • oracle-linux-upgrade-podman-tests
  • oracle-linux-upgrade-python3-criu
  • oracle-linux-upgrade-python3-podman
  • oracle-linux-upgrade-runc
  • oracle-linux-upgrade-skopeo
  • oracle-linux-upgrade-skopeo-tests
  • oracle-linux-upgrade-slirp4netns
  • oracle-linux-upgrade-udica
  • oracle-linux-upgrade-virtctl
  • oracle-linux-upgrade-yq

References

  • https://attackerkb.com/topics/cve-2023-39326
  • CVE - 2023-39326
  • ELSA-2024-12226
  • ELSA-2024-2245
  • ELSA-2024-12262
  • ELSA-2024-2193
  • ELSA-2024-12189
  • ELSA-2024-12261
  • ELSA-2024-2272
  • ELSA-2024-1131
  • ELSA-2024-12264
  • ELSA-2024-0887
  • ELSA-2024-12263
  • ELSA-2024-1149
  • ELSA-2024-12191
  • ELSA-2024-2988
  • ELSA-2024-12225
  • ELSA-2024-12190
View more

insightVM

Advanced vulnerability management analytics and reporting.
Key Features
Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;