CVE-2023-6596
📋 TL;DR
CVE-2023-6596 is an incomplete fix for the Rapid Reset vulnerability (CVE-2023-44487/CVE-2023-39325) in OpenShift Container Platform. This allows attackers to perform HTTP/2 Rapid Reset attacks, potentially causing denial of service by overwhelming servers with request cancellations. Organizations running affected OpenShift versions are vulnerable.
💻 Affected Systems
- OpenShift Container Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through resource exhaustion, making OpenShift clusters unavailable for extended periods.
Likely Case
Degraded performance or intermittent service outages affecting application availability.
If Mitigated
Minimal impact with proper rate limiting, network controls, and updated infrastructure.
🎯 Exploit Status
HTTP/2 Rapid Reset attacks are well-documented and tooling exists. This specific CVE represents an incomplete patch, making exploitation straightforward for attackers familiar with the original vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenShift Container Platform 4.12.56, 4.13.49, 4.14.24 and later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:0485
Restart Required: Yes
Instructions:
1. Check current OpenShift version: oc version
2. Update cluster using OpenShift's update mechanism: oc adm upgrade
3. Apply relevant errata: yum update openshift-hyperkube openshift-clients
4. Restart affected components as indicated in Red Hat advisories
🔧 Temporary Workarounds
HTTP/2 Disablement
linuxDisable HTTP/2 protocol on ingress controllers to prevent Rapid Reset attacks
oc patch ingresscontroller/default -n openshift-ingress-operator --type=merge -p '{"spec":{"httpProtocol":"HTTP1"}}'
Rate Limiting Configuration
linuxImplement request rate limiting on ingress controllers to mitigate DDoS impact
oc edit ingresscontroller/default -n openshift-ingress-operator
Add rate limiting annotations in spec
🧯 If You Can't Patch
- Implement network-level rate limiting and DDoS protection (e.g., using cloud WAF, load balancer features, or firewall rules)
- Monitor for abnormal HTTP/2 traffic patterns and implement alerting for rapid connection resets
🔍 How to Verify
Check if Vulnerable:
Check OpenShift version: oc version | grep 'Server Version' and compare to affected versions (4.12.x < 4.12.56, 4.13.x < 4.13.49, 4.14.x < 4.14.24)Check Version:
oc version | grep 'Server Version'Verify Fix Applied:
Verify version is patched: oc version | grep 'Server Version' should show 4.12.56+, 4.13.49+, or 4.14.24+📡 Detection & Monitoring
Log Indicators:
- High frequency of HTTP/2 RST_STREAM frames in ingress controller logs
- Unusual spike in 502/503 errors from applications
Network Indicators:
- Abnormal HTTP/2 traffic patterns with rapid connection establishment/reset cycles
- High volume of small HTTP/2 requests with immediate cancellation
SIEM Query:
source="openshift-ingress" AND ("RST_STREAM" OR "stream_canceled") | stats count by host🔗 References
- https://access.redhat.com/errata/RHSA-2024:0485
- https://access.redhat.com/errata/RHSA-2024:0682
- https://access.redhat.com/security/cve/CVE-2023-6596
- https://bugzilla.redhat.com/show_bug.cgi?id=2253521
- https://access.redhat.com/errata/RHSA-2024:0485
- https://access.redhat.com/errata/RHSA-2024:0682
- https://access.redhat.com/security/cve/CVE-2023-6596
- https://bugzilla.redhat.com/show_bug.cgi?id=2253521
