Denial of Service via Hash Collision Attack #13306
Pinned
teb510
announced in
Announcements
Replies: 2 comments 2 replies
-
|
Nice to see Kong patch the 2.8.5 OSS version too for folks stuck on older Kong pre 3.x |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
@teb510 cool, any plan to patch other minor versions like 3.4 / 3.5 / 3.6? |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
@git-hulk We currently do not have plans for further backporting. We highly encourage upgrading to version 3.7. |
Beta Was this translation helpful? Give feedback.
-
|
@guanlan Got it, thanks for your reply! |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Denial of Service via Hash Collision Attack
Recently, Kong’s security researchers discovered a vulnerability in OpenResty, a third party dependency of Kong Gateway. This vulnerability creates the possibility of Denial of Service attacks against Kong Gateway.
Vulnerability Description:
Kong's security researchers identified a weakness in the default string hashing function in OpenResty that can be used to generate large numbers of hash collisions by carefully crafting HTTP requests, which can be used in a Denial of Service attack.
A CVE is expected to be issued. The finding is currently evaluated by Kong at CVSS 9.2.
Kong Products Impacted:
Remediation Steps:
Patches for all supported Kong Gateway versions are available now for both OSS and Enterprise. Additionally, Enterprise customers will have already received communication from Kong regarding this vulnerability. Our recommendation is to apply the latest patch or upgrade Kong Gateway.
For OSS, we have provided patches for 3.7.1 (latest) and also 2.8.5 as we have a large number of community members on this version as well.
Links to Available Patches:
All available patches can be found at packages.konghq.com. The table below provides direct links to the latest patches for each supported version of Kong Gateway.
Impacted Kong Gateway Enterprise version:
Impacted Kong Gateway Community / OSS version:
Beta Was this translation helpful? Give feedback.
All reactions