Security Bulletins

Calico Typha hangs during unclean TLS handshake

Return to List


Calico Typha hangs during unclean TLS handshake

Reference: TTA-2023-001, CVE-2023-41378

Date published: Novemeber 06, 2023 (Updated)




In certain conditions for Calico Typha (v3.26.2, v3.25.1 and below), and Calico Enterprise Typha (v3.17.1, v3.16.3, v3.15.3 and below), a client TLS handshake can block the Calico Typha server indefinitely, resulting in denial of service. The TLS Handshake() call is performed inside the main server handle for loop without any timeout allowing an unclean TLS handshake to block the main loop indefinitely while other connections will be idle waiting for that handshake to finish.



CVSSv3.1: High (7.5)

Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

The Calico Typha service port by default is only accessible within the cluster or via the node IP when operating in the host network. Denial of service of a single Calico Typha instance will not disrupt the operations of the cluster. Only in certain conditions where abrupt terminations of the TLS handshake with Typha and all replicas will disrupt the operation of the cluster.




Weakness Enumeration

CWE-400: Uncontrolled Resource Consumption

CWE-703: Improper Check or Handling of Exceptional Conditions


Indicators of Impact/Compromise

Review flow logs for unexpected connections to calico-typha or private IP addresses on TCP port 5473. Indicators of impact include the Calico Felix pod crash looping or not reaching readiness state.



Review host and cluster network policies and secure Typha port 5473 from external access to the cluster using host-endpoint policies, external security groups, access control lists, or firewalls.


Affected Releases

  • Calico OSS
    • v3.26.2 and below
    • v3.25.1 and below
  • Calico Enterprise
    • v3.17.1 and below
    • v3.16.3 and below
    • v3.15.3 and below
  • Calico Cloud
    • v17.1.1 and below


Fixed Versions

  • Calico OSS
    • v3.26.3 – released Oct 6, 2023
    • v3.25.2 – released Sept 5, 2023
  • Calico Enterprise
    • v3.18.0 – released Sept 1, 2023
    • v3.17.2 – released Oct 3, 2023
    • v3.16.4 – released Sept 23, 2023
    • v3.15.4 – released Sept 12, 2023
  • Calico Cloud
    • v18.0.0



Rodrigo Fior Kuntzer of Miroapp (Github: @rodrigorfk) for discovery and partial fix.

Return to List