#VU85904 Algorithm Downgrade in Red Hat build of Quarkus - CVE-2023-2974

Cybersecurity Help s.r.o.

Published: 2024-01-30

Vulnerability identifier: #VU85904

Vulnerability risk: Low

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-2974

CWE-ID: CWE-757

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Red Hat build of Quarkus
Server applications / Other server solutions

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote user to modify data on the system.

The vulnerability exists due to TLS protocol configured with quarkus.http.ssl.protocols is not enforced. A remote user can client can force the selection of the weaker supported TLS protocol to modify data on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Red Hat build of Quarkus: before 2.13.8

External links
https://access.redhat.com/errata/RHSA-2023:3809
https://bugzilla.redhat.com/show_bug.cgi?id=2211026
https://access.redhat.com/security/cve/CVE-2023-2974

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps