CVE-2024-4438
📋 TL;DR
This vulnerability is an incomplete fix for the Rapid Reset HTTP/2 attack (CVE-2023-39325/CVE-2023-44487) in etcd packages distributed with Red Hat OpenStack Platform. It allows attackers to cause denial of service through resource exhaustion by exploiting HTTP/2 connection handling. Only Red Hat OpenStack Platform deployments using the affected etcd package are impacted.
💻 Affected Systems
- Red Hat OpenStack Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion, potentially affecting OpenStack control plane services that depend on etcd.
Likely Case
Degraded performance or intermittent service disruptions in OpenStack environments.
If Mitigated
Minimal impact with proper network segmentation and rate limiting in place.
🎯 Exploit Status
Rapid Reset attack is well-documented and weaponized tools exist. Exploitation requires HTTP/2 connectivity to vulnerable service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions specified in RHSA-2024:2729, RHSA-2024:3352, RHSA-2024:3467
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-4438
Restart Required: Yes
Instructions:
1. Check current OpenStack Platform version. 2. Apply relevant RHSA patch via yum update. 3. Restart etcd and dependent services. 4. Verify fix with version check.
🔧 Temporary Workarounds
HTTP/2 Disablement
linuxDisable HTTP/2 protocol on etcd services if not required
Configure etcd to use HTTP/1.1 only via environment variables or configuration files
Rate Limiting
linuxImplement network-level rate limiting for HTTP/2 connections
iptables -A INPUT -p tcp --dport 2379 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 2379 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate etcd services from untrusted networks
- Deploy Web Application Firewall (WAF) or load balancer with HTTP/2 flood protection
🔍 How to Verify
Check if Vulnerable:
Check etcd package version: rpm -qa | grep etcd and compare with patched versions in RHSA advisoriesCheck Version:
rpm -q etcd --queryformat '%{VERSION}-%{RELEASE}\n'Verify Fix Applied:
Verify updated package version and test HTTP/2 connectivity with tools like h2load or nghttp📡 Detection & Monitoring
Log Indicators:
- High rate of HTTP/2 RST_STREAM frames in etcd logs
- Unusual connection termination patterns
- Resource exhaustion warnings
Network Indicators:
- Abnormal HTTP/2 traffic patterns with rapid connection resets
- High volume of short-lived HTTP/2 connections to port 2379
SIEM Query:
source="etcd.log" AND "RST_STREAM" | stats count by src_ip | where count > threshold🔗 References
- https://access.redhat.com/errata/RHSA-2024:2729
- https://access.redhat.com/errata/RHSA-2024:3352
- https://access.redhat.com/errata/RHSA-2024:3467
- https://access.redhat.com/security/cve/CVE-2024-4438
- https://bugzilla.redhat.com/show_bug.cgi?id=2279365
- https://access.redhat.com/errata/RHSA-2024:2729
- https://access.redhat.com/errata/RHSA-2024:3352
- https://access.redhat.com/errata/RHSA-2024:3467
- https://access.redhat.com/security/cve/CVE-2024-4438
- https://bugzilla.redhat.com/show_bug.cgi?id=2279365
