HIGH 7.5

GHSA-pg75-v6fp-8q59

Keylime's registrar vulnerable to Denial-of-service attack via a single open connection

Details

### Impact Keylime `registrar` is prone to a simple denial of service attack in which an adversary opens a connection to the TLS port (by default, port `8891`) blocking further, legitimate connections. As long as the connection is open, the `registrar` is blocked and cannot serve any further clients (`agents` and `tenants`), which prevents normal operation. The problem does not affect the `verifier`.

### Patches Users should upgrade to release 7.4.0

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / keylime

Introduced in: 0 Fixed in: 7.4.0

Fix pip install --upgrade 'keylime>=7.4.0'

References

https://github.com/keylime/keylime/security/advisories/GHSA-pg75-v6fp-8q59 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2023-38200 [ADVISORY]
https://github.com/keylime/keylime/pull/1421 [WEB]
https://github.com/keylime/keylime/commit/c68d8f0b7ea549c12b6956ab0f3c28ae0360ae17 [WEB]
https://access.redhat.com/security/cve/CVE-2023-38200 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=2222692 [WEB]
https://github.com/keylime/keylime [PACKAGE]
https://github.com/keylime/keylime/releases/tag/v7.4.0 [WEB]