tigera-logoWhite

Security Bulletins

Calico Typha hangs during unclean TLS handshake

Return to List

DescriptionSeverityNotes

Calico Typha hangs during unclean TLS handshake

Reference: TTA-2023-001, CVE-2023-41378

Date published: Novemeber 06, 2023 (Updated)

HighN/A

 

Description

In certain conditions for Calico Typha (v3.26.2, v3.25.1 and below), and Calico Enterprise Typha (v3.17.1, v3.16.3, v3.15.3 and below), a client TLS handshake can block the Calico Typha server indefinitely, resulting in denial of service. The TLS Handshake() call is performed inside the main server handle for loop without any timeout allowing an unclean TLS handshake to block the main loop indefinitely while other connections will be idle waiting for that handshake to finish.

 

Severity

CVSSv3.1: High (7.5)

Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

The Calico Typha service port by default is only accessible within the cluster or via the node IP when operating in the host network. Denial of service of a single Calico Typha instance will not disrupt the operations of the cluster. Only in certain conditions where abrupt terminations of the TLS handshake with Typha and all replicas will disrupt the operation of the cluster.

 

References

 

Weakness Enumeration

CWE-400: Uncontrolled Resource Consumption

CWE-703: Improper Check or Handling of Exceptional Conditions

 

Indicators of Impact/Compromise

Review flow logs for unexpected connections to calico-typha or private IP addresses on TCP port 5473. Indicators of impact include the Calico Felix pod crash looping or not reaching readiness state.

 

Workaround/Mitigation

Review host and cluster network policies and secure Typha port 5473 from external access to the cluster using host-endpoint policies, external security groups, access control lists, or firewalls.

 

Affected Releases

  • Calico OSS
    • v3.26.2 and below
    • v3.25.1 and below
  • Calico Enterprise
    • v3.17.1 and below
    • v3.16.3 and below
    • v3.15.3 and below
  • Calico Cloud
    • v17.1.1 and below

 

Fixed Versions

  • Calico OSS
    • v3.26.3 – released Oct 6, 2023
    • v3.25.2 – released Sept 5, 2023
  • Calico Enterprise
    • v3.18.0 – released Sept 1, 2023
    • v3.17.2 – released Oct 3, 2023
    • v3.16.4 – released Sept 23, 2023
    • v3.15.4 – released Sept 12, 2023
  • Calico Cloud
    • v18.0.0

 

Acknowledgments

Rodrigo Fior Kuntzer of Miroapp (Github: @rodrigorfk) for discovery and partial fix.

Return to List

Copyright © Tigera, Inc. All rights reserved.