Security Bulletins
Calico Typha hangs during unclean TLS handshake
Description | Severity | Notes |
---|---|---|
Calico Typha hangs during unclean TLS handshakeReference: TTA-2023-001, CVE-2023-41378 Date published: Novemeber 06, 2023 (Updated) | High | N/A |
Description
In certain conditions for Calico Typha (v3.26.2, v3.25.1 and below), and Calico Enterprise Typha (v3.17.1, v3.16.3, v3.15.3 and below), a client TLS handshake can block the Calico Typha server indefinitely, resulting in denial of service. The TLS Handshake() call is performed inside the main server handle for loop without any timeout allowing an unclean TLS handshake to block the main loop indefinitely while other connections will be idle waiting for that handshake to finish.
Severity
CVSSv3.1: High (7.5)
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
The Calico Typha service port by default is only accessible within the cluster or via the node IP when operating in the host network. Denial of service of a single Calico Typha instance will not disrupt the operations of the cluster. Only in certain conditions where abrupt terminations of the TLS handshake with Typha and all replicas will disrupt the operation of the cluster.
References
Weakness Enumeration
CWE-400: Uncontrolled Resource Consumption
CWE-703: Improper Check or Handling of Exceptional Conditions
Indicators of Impact/Compromise
Review flow logs for unexpected connections to calico-typha or private IP addresses on TCP port 5473. Indicators of impact include the Calico Felix pod crash looping or not reaching readiness state.
Workaround/Mitigation
Review host and cluster network policies and secure Typha port 5473 from external access to the cluster using host-endpoint policies, external security groups, access control lists, or firewalls.
Affected Releases
- Calico OSS
- v3.26.2 and below
- v3.25.1 and below
- Calico Enterprise
- v3.17.1 and below
- v3.16.3 and below
- v3.15.3 and below
- Calico Cloud
- v17.1.1 and below
Fixed Versions
- Calico OSS
- v3.26.3 – released Oct 6, 2023
- v3.25.2 – released Sept 5, 2023
- Calico Enterprise
- v3.18.0 – released Sept 1, 2023
- v3.17.2 – released Oct 3, 2023
- v3.16.4 – released Sept 23, 2023
- v3.15.4 – released Sept 12, 2023
- Calico Cloud
- v18.0.0
Acknowledgments
Rodrigo Fior Kuntzer of Miroapp (Github: @rodrigorfk) for discovery and partial fix.