After transitioning to a new distribution support model that allows the use of their own patches, the developers of Alma Linux discovered a vulnerability in Iperf3. They attempted to transmit a prepared correction in CentOS Stream, but the vulnerability remained incorporated in RHEL and CentOS Stream. An employee at Red Hat refused to accept the correction, citing a rule that only allows the elimination of important problems.
The vulnerability, identified as CVE-2023-38403, was evaluated by Red Hat as insignificant. Corrections for such problems are included in packages only if necessary, based on customer requests or business needs. The representative from Alma Linux expressed bewilderment, as the ready-made patch was transferred to CentOS Stream, which eliminated the problem, and Red Hat was not required to create a correction.
However, the developer from Alma Linux disagreed that the vulnerability is insignificant. The eliminated error leads to integer overflow and can cause damage to the process when transmitting an incorrect value in the data size. The IPERF3 utility, designed to test network performance, uses a client-server model. Vulnerability allows for the sending of a specially designed message and can cause memory damage, enabling attacks between clients and servers.
In practice, the vulnerability allows attackers to target publicly accessible IPERF3 servers or create their own servers to attack connected users. While the operation of the vulnerability is limited to the emergency completion of the process, it still requires correction to prevent the collapse of IPERF3 server processes on publicly available servers.
In response, the Red Hat employee explained that the development of a correction is only one stage in preparing the packet update. It is necessary to ensure that the correction undergoes quality control and does not lead to regressive changes. Therefore, only critical and important vulnerabilities are mandatory, while problems with a low and average level of danger are addressed as necessary.