CVE-2023-41378: 
Linux Photon vulnerability analysis and mitigation

CVE-2023-41378 affects Calico Typha (versions v3.26.2, v3.25.1 and below) and Calico Enterprise Typha (versions v3.17.1, v3.16.3, v3.15.3 and below). The vulnerability was discovered in August 2023 and publicly disclosed on November 6, 2023. The issue involves a client TLS handshake that can block the Calico Typha server indefinitely, resulting in a denial of service condition (Tigera Advisory, NVD).

The vulnerability occurs because the TLS Handshake() call is performed inside the main server handle for loop without any timeout. This allows an unclean TLS handshake to block the main loop indefinitely while other connections remain idle waiting for that handshake to finish. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The weakness has been categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-703 (Improper Check or Handling of Exceptional Conditions) (NVD, Tigera Advisory).

The vulnerability can lead to a denial of service condition where the Calico Typha server becomes unresponsive. While the denial of service of a single Calico Typha instance will not disrupt cluster operations, under certain conditions where abrupt terminations of the TLS handshake occur with all replicas, it can disrupt the entire cluster's operation. Indicators of impact include Calico Felix pod crash looping or not reaching readiness state (Tigera Advisory).

Organizations should upgrade to the fixed versions: Calico OSS v3.26.3 (released Oct 6, 2023) or v3.25.2 (released Sept 5, 2023), Calico Enterprise v3.18.0, v3.17.2, v3.16.4, or v3.15.4, or Calico Cloud v18.0.0. As a workaround, organizations should review host and cluster network policies and secure Typha port 5473 from external access using host-endpoint policies, external security groups, access control lists, or firewalls (Tigera Advisory).