U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-37309

Change History

New CVE Received by NIST 6/13/2024 10:15:13 AM

Action Type Old Value New Value
Added CVSS V3.1

								
							
							
						
GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Added CWE

								
							
							
						
GitHub, Inc. CWE-770
Added Description

								
							
							
						
CrateDB is a distributed SQL database. A high-risk vulnerability has been identified in versions prior to 5.7.2 where the TLS endpoint (port 4200) permits client-initiated renegotiation. In this scenario, an attacker can exploit this feature to repeatedly request renegotiation of security parameters during an ongoing TLS session. This flaw could lead to excessive consumption of CPU resources, resulting in potential server overload and service disruption. The vulnerability was confirmed using an openssl client where the command `R` initiates renegotiation, followed by the server confirming with `RENEGOTIATING`. This vulnerability allows an attacker to perform a denial of service attack by exhausting server CPU resources through repeated TLS renegotiations. This impacts the availability of services running on the affected server, posing a significant risk to operational stability and security. TLS 1.3 explicitly forbids renegotiation, since it closes a window of opportunity for an attack. Version 5.7.2 of CrateDB contains the fix for the issue.
Added Reference

								
							
							
						
GitHub, Inc. https://cratedb.com/docs/crate/reference/en/latest/appendices/release-notes/5.7.2.html [No types assigned]
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/crate/crate/commit/1dde03bdf031a20886065195527e368e4a3218b3 [No types assigned]
Added Reference

								
							
							
						
GitHub, Inc. https://github.com/crate/crate/security/advisories/GHSA-x268-qpg6-w9g2 [No types assigned]