Описание
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
A flaw was found in Traefik, an HTTP reverse proxy and load balancer. This vulnerability exists in the ACME TLS-ALPN fast path, where unauthenticated clients can exploit it. By initiating numerous connections and sending a minimal ClientHello with "acme-tls/1" before ceasing communication, a malicious client can indefinitely tie up system resources such as "go routines" (lightweight threads) and file descriptors. This leads to a Denial of Service (DoS) of the entry point, making the service unavailable to legitimate users.
Отчет
This vulnerability is rated Moderate for Red Hat. In the Red Hat context, this flaw affects Traefik as deployed in Red Hat OpenShift Dev Spaces. An unauthenticated attacker can exploit the ACME TLS-ALPN fast path to exhaust system resources, leading to a denial of service of the entry point.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Dev Spaces | devspaces/traefik-rhel9 | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
5.9 Medium
CVSS3
Связанные уязвимости
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 and 3.6.7, there is a potential vulnerability in Traefik ACME TLS certificates' automatic generation: the ACME TLS-ALPN fast path can allow unauthenticated clients to tie up go routines and file descriptors indefinitely when the ACME TLS challenge is enabled. A malicious client can open many connections, send a minimal ClientHello with acme-tls/1, then stop responding, leading to denial of service of the entry point. The vulnerability is fixed in 2.11.35 and 3.6.7.
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.35 a ...
Traefik's ACME TLS-ALPN fast path lacks timeouts and close on handshake stall
5.9 Medium
CVSS3