Dell Unity: Is Unity affected by CVE-2023-45802
Summary: This article discusses whether CVE-2023-45802 affects Unity.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Details
CVE-2023-45802
MODIFIED
This vulnerability has been modified since it was last analyzed by the NATIONAL VULNERABILITY DATABASE (NVD). It is awaiting further analysis which may result in further changes to the information provided.
Description
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window where the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process may run out of memory before that. During testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit), the reporter found this issue with their own test client. During "normal" HTTP/2 use, the probability of experiencing this issue is low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
CVE-2023-45802
MODIFIED
This vulnerability has been modified since it was last analyzed by the NATIONAL VULNERABILITY DATABASE (NVD). It is awaiting further analysis which may result in further changes to the information provided.
Description
When a HTTP/2 stream was reset (RST frame) by a client, there was a time window where the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process may run out of memory before that. During testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit), the reporter found this issue with their own test client. During "normal" HTTP/2 use, the probability of experiencing this issue is low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue.
Cause
On Unity, "mod_http2" is not enabled in httpd.conf or any other virtual host's configuration file. And the below command shows that mod_http2 is not being used.
apachectl -M | grep http2Therefore CVE-2023-45802 does NOT impact Unity.
Resolution
CVE-2023-45802 does NOT impact Unity.
Affected Products
Dell EMC UnityProducts
Dell Unity 450F DC, Dell Unity 300, Dell Unity 300 DC, Dell EMC Unity 300F, Dell EMC Unity 350F, Dell Unity 350F DC, Dell EMC Unity XT 380, Dell EMC Unity XT 380F, Dell EMC Unity 400, Dell Unity 400 DC, Dell EMC Unity 400F, Dell EMC Unity 450F
, Dell EMC Unity XT 480, Dell EMC Unity XT 480F, Dell EMC Unity 500, Dell EMC Unity 500F, Dell EMC Unity 550F, Dell EMC Unity 600, Dell EMC Unity 600F, Dell EMC Unity 650F, Dell EMC Unity XT 680, Dell EMC Unity XT 680F, Dell EMC Unity XT 880, Dell EMC Unity XT 880F, Dell EMC Unity Family |Dell EMC Unity All Flash, Dell EMC Unity Family, Dell EMC Unity Hybrid, Dell Unity Operating Environment (OE), Dell EMC UnityVSA Professional Edition/Unity Cloud Edition
...
Article Properties
Article Number: 000220765
Article Type: Solution
Last Modified: 12 Jan 2024
Version: 2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.