CVE-2024-12698
📋 TL;DR
This vulnerability is an incomplete fix for the Rapid Reset attack (CVE-2023-39325/CVE-2023-44487) in the ose-olm-catalogd-container component. It allows authenticated attackers to exploit HTTP/2 stream cancellation to cause denial of service. Affects Red Hat OpenShift environments using the affected container.
💻 Affected Systems
- Red Hat OpenShift Container Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for the ose-olm-catalogd-container service, potentially disrupting OpenShift cluster operations and application deployments.
Likely Case
Degraded performance or intermittent service disruption for the affected container component.
If Mitigated
Minimal impact with proper network segmentation and rate limiting in place.
🎯 Exploit Status
Exploitation requires authenticated access to the affected container. Based on known HTTP/2 Rapid Reset attack patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenShift Container Platform 4.15.0-202403251547.p0.gb4e1e8e.assembly.stream
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:6122
Restart Required: Yes
Instructions:
1. Update OpenShift Container Platform to version 4.15.0-202403251547.p0.gb4e1e8e.assembly.stream or later. 2. Apply the update through the OpenShift web console or CLI. 3. Restart affected pods/containers.
🔧 Temporary Workarounds
Network segmentation and access control
linuxRestrict network access to the ose-olm-catalogd-container to only trusted sources.
Rate limiting
linuxImplement rate limiting for HTTP/2 connections to the affected service.
🧯 If You Can't Patch
- Implement strict authentication and authorization controls to limit who can access the affected container.
- Monitor for unusual HTTP/2 connection patterns and implement alerting for potential exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check if running OpenShift Container Platform 4.15 with ose-olm-catalogd-container version before the fix. Use: oc get pods -n openshift-operator-lifecycle-manager | grep catalogdCheck Version:
oc versionVerify Fix Applied:
Verify the container image version matches or exceeds the patched version. Use: oc describe pod <catalogd-pod> -n openshift-operator-lifecycle-manager📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP/2 stream cancellation patterns
- High rate of HTTP/2 RST_STREAM frames
- Catalogd container restarting frequently
Network Indicators:
- Excessive HTTP/2 RST_STREAM packets to port 8443
- Unusual traffic patterns to the catalogd service
SIEM Query:
source="openshift-audit.log" AND "catalogd" AND ("error" OR "restart" OR "crash")