MidnightBSD

Advisories for linkerd

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
redhat openshift_container_platform_assisted_installer -
golang networking *
redhat network_observability_operator -
jenkins jenkins *
cisco business_process_automation *
redhat openstack_platform 17.1
netty netty *
f5 big-ip_global_traffic_manager 17.1.0
f5 big-ip_access_policy_manager *
fedoraproject fedora 37
redhat openstack_platform 16.1
microsoft windows_server_2019 -
apache solr *
f5 big-ip_advanced_web_application_firewall 17.1.0
redhat openshift_virtualization 4
cisco data_center_network_manager -
redhat 3scale_api_management_platform 2.0
f5 nginx_plus r29
f5 big-ip_application_visibility_and_reporting 17.1.0
redhat certification_for_red_hat_enterprise_linux 8.0
redhat service_telemetry_framework 1.5
redhat build_of_optaplanner 8.0
f5 big-ip_fraud_protection_service *
cisco prime_network_registrar *
microsoft windows_server_2022 -
caddyserver caddy *
f5 big-ip_webaccelerator 17.1.0
f5 big-ip_global_traffic_manager *
redhat migration_toolkit_for_virtualization -
cisco unified_attendant_console_advanced -
akka http_server *
microsoft cbl-mariner *
microsoft azure_kubernetes_service *
redhat machine_deletion_remediation_operator -
f5 big-ip_advanced_web_application_firewall *
redhat node_maintenance_operator -
cisco crosswork_situation_manager -
redhat openshift_container_platform 4.0
redhat integration_camel_for_spring_boot -
redhat openshift_serverless -
f5 nginx_plus r30
redhat jboss_fuse 7.0.0
redhat enterprise_linux 9.0
redhat openshift_dev_spaces -
redhat integration_service_registry -
f5 big-ip_access_policy_manager 17.1.0
redhat openshift_developer_tools_and_services -
redhat quay 3.0.0
golang http2 *
f5 big-ip_local_traffic_manager 17.1.0
projectcontour contour *
f5 nginx_ingress_controller *
redhat service_interconnect 1.0
linkerd linkerd *
apache traffic_server *
ietf http 2.0
f5 big-ip_websafe *
golang go *
redhat migration_toolkit_for_containers -
redhat openshift_distributed_tracing -
f5 big-ip_local_traffic_manager *
f5 big-ip_ddos_hybrid_defender *
traefik traefik 3.0.0
microsoft windows_10_22h2 *
redhat jboss_a-mq 7
redhat advanced_cluster_security 3.0
cisco iot_field_network_director *
amazon opensearch_data_prepper *
cisco telepresence_video_communication_server *
redhat logging_subsystem_for_red_hat_openshift -
f5 big-ip_websafe 17.1.0
f5 big-ip_advanced_firewall_manager 17.1.0
redhat enterprise_linux 6.0
redhat self_node_remediation_operator -
microsoft windows_11_22h2 *
cisco prime_cable_provisioning *
linkerd linkerd 2.13.1
cisco crosswork_data_gateway 5.0
redhat cost_management -
redhat jboss_data_grid 7.0.0
cisco secure_dynamic_attributes_connector *
cisco ultra_cloud_core_-_policy_control_function 2024.01.0
f5 big-ip_application_security_manager *
microsoft windows_10_1607 *
f5 big-ip_domain_name_system *
redhat support_for_spring_boot -
redhat web_terminal -
debian debian_linux 10.0
cisco expressway *
redhat openshift_data_science -
cisco ios_xe *
microsoft windows_10_1809 *
microsoft windows_10_21h2 *
microsoft windows_server_2016 -
cisco ultra_cloud_core_-_policy_control_function *
f5 big-ip_analytics 17.1.0
redhat build_of_quarkus -
f5 big-ip_next 20.0.1
redhat openshift_pipelines -
f5 big-ip_application_security_manager 17.1.0
redhat openshift_secondary_scheduler_operator -
cisco ios_xr *
redhat openstack_platform 16.2
f5 big-ip_next_service_proxy_for_kubernetes *
redhat jboss_enterprise_application_platform 7.0.0
f5 big-ip_ssl_orchestrator *
istio istio *
linkerd linkerd 2.14.0
redhat openshift_sandboxed_containers -
konghq kong_gateway *
f5 big-ip_carrier-grade_nat *
redhat ansible_automation_platform 2.0
redhat advanced_cluster_management_for_kubernetes 2.0
apple swiftnio_http/2 *
f5 big-ip_application_visibility_and_reporting *
redhat enterprise_linux 8.0
dena h2o *
f5 big-ip_policy_enforcement_manager 17.1.0
redhat openshift_api_for_data_protection -
apache apisix *
envoyproxy envoy 1.27.0
redhat openshift_gitops -
cisco secure_web_appliance_firmware *
kazu-yamamoto http2 *
cisco fog_director *
f5 big-ip_advanced_firewall_manager *
f5 big-ip_ssl_orchestrator 17.1.0
redhat ceph_storage 5.0
redhat openshift_service_mesh 2.0
f5 nginx_plus *
redhat openshift -
microsoft windows_11_21h2 *
cisco crosswork_zero_touch_provisioning *
envoyproxy envoy 1.24.10
f5 big-ip_analytics *
cisco nx-os *
redhat cryostat 2.0
redhat decision_manager 7.0
f5 big-ip_policy_enforcement_manager *
microsoft visual_studio_2022 *
traefik traefik *
f5 big-ip_link_controller 17.1.0
cisco unified_contact_center_enterprise -
redhat jboss_fuse 6.0.0
varnish_cache_project varnish_cache *
redhat fence_agents_remediation_operator -
redhat process_automation 7.0
cisco firepower_threat_defense *
redhat integration_camel_k -
f5 big-ip_webaccelerator *
cisco enterprise_chat_and_email -
microsoft asp.net_core *
f5 big-ip_ddos_hybrid_defender 17.1.0
openresty openresty *
cisco ultra_cloud_core_-_session_management_function *
cisco prime_infrastructure *
redhat certification_for_red_hat_enterprise_linux 9.0
fedoraproject fedora 38
linecorp armeria *
redhat advanced_cluster_security 4.0
nodejs node.js *
f5 big-ip_carrier-grade_nat 17.1.0
redhat migration_toolkit_for_applications 6.0
redhat jboss_enterprise_application_platform 6.0.0
redhat node_healthcheck_operator -
debian debian_linux 12.0
linkerd linkerd 2.13.0
redhat satellite 6.0
cisco ultra_cloud_core_-_serving_gateway_function *
redhat cert-manager_operator_for_red_hat_openshift -
redhat jboss_a-mq_streams -
cisco prime_access_registrar *
f5 big-ip_fraud_protection_service 17.1.0
grpc grpc 1.57.0
linkerd linkerd 2.14.1
facebook proxygen *
redhat jboss_core_services -
debian debian_linux 11.0
redhat single_sign-on 7.0
cisco unified_contact_center_domain_manager -
f5 big-ip_domain_name_system 17.1.0
eclipse jetty *
cisco crosswork_data_gateway *
f5 big-ip_application_acceleration_manager 17.1.0
microsoft .net *
netapp astra_control_center -
redhat run_once_duration_override_operator -
f5 big-ip_link_controller *
apache tomcat *
envoyproxy envoy 1.25.9
cisco secure_malware_analytics *
nghttp2 nghttp2 *
grpc grpc *
f5 nginx *
cisco unified_contact_center_enterprise_-_live_data_server *
cisco unified_contact_center_management_portal -
netapp oncommand_insight -
f5 big-ip_application_acceleration_manager *
apache tomcat 11.0.0
envoyproxy envoy 1.26.4
cisco connected_mobile_experiences *
CVE-2025-43915

In Linkerd edge releases before edge-25.2.1, and Buoyant Enterprise for Linkerd releases 2.13.0–2.13.7, 2.14.0–2.14.10, 2.15.0–2.15.7, 2.16.0–2.16.4, and 2.17.0–2.17.1, resource exhaustion can occur for Linkerd proxy metrics.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H 2.2 4.2

Products Affected

Vendor Product Version
linkerd linkerd *
linkerd buoyant *