CVE-2023-44487

Name
CVE-2023-44487
Description
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
MISC https://news.ycombinator.com/item?id=37831062
MISC https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
MISC https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
MISC https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
MISC https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
MISC https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
MISC https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
MISC https://github.com/bcdannyboy/CVE-2023-44487
MISC https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
MISC https://github.com/eclipse/jetty.project/issues/10679
MISC https://github.com/alibaba/tengine/issues/1872
MISC https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
MISC https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
MISC https://github.com/nghttp2/nghttp2/pull/1961
MISC https://news.ycombinator.com/item?id=37830987
MISC https://news.ycombinator.com/item?id=37830998
MISC https://github.com/envoyproxy/envoy/pull/30055
MISC https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
MISC https://github.com/caddyserver/caddy/issues/5877
MISC https://github.com/haproxy/haproxy/issues/2312
MISC https://github.com/hyperium/hyper/issues/3337
MISC https://chaos.social/@icing/111210915918780532
MISC https://github.com/grpc/grpc-go/pull/6703
MISC https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
MISC https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
MISC https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
MISC https://my.f5.com/manage/s/article/K000137106
MISC https://bugzilla.proxmox.com/show_bug.cgi?id=4988
MISC https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
MISC https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
MISC https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
MISC https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
MISC https://github.com/micrictor/http2-rst-stream
MISC https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
MISC https://github.com/dotnet/announcements/issues/277
MISC https://github.com/apache/trafficserver/pull/10564
MISC https://github.com/facebook/proxygen/pull/466
MISC https://github.com/microsoft/CBL-Mariner/pull/6381
MISC https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
MISC https://github.com/nodejs/node/pull/50121
MISC https://github.com/h2o/h2o/pull/3291
MISC https://github.com/advisories/GHSA-vx74-f528-fxqg
MISC https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
MISC https://github.com/golang/go/issues/63417
MISC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
MISC https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
MISC https://www.openwall.com/lists/oss-security/2023/10/10/6
MISC https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
MISC https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
MISC https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
MISC https://github.com/kubernetes/kubernetes/pull/121120
MISC https://github.com/oqtane/oqtane.framework/discussions/3367
MISC https://github.com/opensearch-project/data-prepper/issues/3474
MISC https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
MISC https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
MISC https://netty.io/news/2023/10/10/4-1-100-Final.html
MISC https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
MISC https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
MISC https://news.ycombinator.com/item?id=37837043
MISC https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
MISC https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
MISC https://github.com/kazu-yamamoto/http2/issues/93
MISC https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
MISC https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
DEBIAN https://www.debian.org/security/2023/dsa-5522
DEBIAN https://www.debian.org/security/2023/dsa-5521
MISC https://blog.vespa.ai/cve-2023-44487/
MISC https://github.com/tempesta-tech/tempesta/issues/1986
MISC https://ubuntu.com/security/CVE-2023-44487
MISC https://access.redhat.com/security/cve/cve-2023-44487
MISC https://github.com/junkurihara/rust-rpxy/issues/97
MISC https://istio.io/latest/news/security/istio-security-2023-004/
MISC https://bugzilla.redhat.com/show_bug.cgi?id=2242803
MISC https://github.com/etcd-io/etcd/issues/16740
MISC https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
MISC https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
MISC https://github.com/advisories/GHSA-qppj-fm5r-hxr3
MISC https://bugzilla.suse.com/show_bug.cgi?id=1216123
MISC https://github.com/ninenines/cowboy/issues/1615
MISC https://github.com/varnishcache/varnish-cache/issues/3996
MISC https://github.com/apache/httpd-site/pull/10
MISC https://github.com/line/armeria/pull/5232
MISC https://github.com/projectcontour/contour/pull/5826
MISC https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
MISC https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
MISC https://github.com/akka/akka-http/issues/4323
MISC https://github.com/apache/apisix/issues/10320
MISC https://github.com/openresty/openresty/issues/930
MISC https://github.com/Azure/AKS/issues/3947
MISC https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
MISC https://security.paloaltonetworks.com/CVE-2023-44487
MISC https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
MISC https://github.com/Kong/kong/discussions/11741
MISC https://github.com/caddyserver/caddy/releases/tag/v2.7.5
MLIST https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
Mailing List http://www.openwall.com/lists/oss-security/2023/10/13/4
MLIST http://www.openwall.com/lists/oss-security/2023/10/13/9
MISC https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
MISC https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
MISC https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
MLIST https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
CONFIRM https://security.netapp.com/advisory/ntap-20231016-0001/
MLIST https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html
MLIST http://www.openwall.com/lists/oss-security/2023/10/18/4
Mailing List http://www.openwall.com/lists/oss-security/2023/10/18/8
Mailing List http://www.openwall.com/lists/oss-security/2023/10/19/6
Mailing List http://www.openwall.com/lists/oss-security/2023/10/20/8
MLIST https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html
DEBIAN https://www.debian.org/security/2023/dsa-5540
MLIST https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html
MISC https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
MLIST https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html
DEBIAN https://www.debian.org/security/2023/dsa-5549
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
https://www.debian.org/security/2023/dsa-5558
https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html
https://security.gentoo.org/glsa/202311-09
cve@mitre.org https://www.debian.org/security/2023/dsa-5570
cve@mitre.org https://security.netapp.com/advisory/ntap-20240426-0007/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:ietf:http:2.0:*:*:*:*:*:*:* http == None == 2.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
nghttp2 3.18-main 1.57.0-r0 Francesco Colista <fcolista@alpinelinux.org> fixed
nghttp2 3.17-main 1.51.0-r2 Francesco Colista <fcolista@alpinelinux.org> fixed
h2o 3.18-community 2.2.6-r10 None fixed
nghttp2 3.15-main 1.46.0-r2 Francesco Colista <fcolista@alpinelinux.org> fixed
jetty-runner 3.18-community 9.4.53.20231009-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
nginx 3.18-main 1.24.0-r7 Jakub Jirutka <jakub@jirutka.cz> fixed
nginx 3.17-main 1.22.1-r1 Jakub Jirutka <jakub@jirutka.cz> fixed
nginx 3.16-main 1.22.1-r1 Jakub Jirutka <jakub@jirutka.cz> fixed
nginx 3.15-main 1.20.2-r2 Jakub Jirutka <jakub@jirutka.cz> fixed
lighttpd 3.15-main 1.4.73-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
nghttp2 3.16-main 1.47.0-r2 Francesco Colista <fcolista@alpinelinux.org> fixed
h2o 3.19-community 2.2.6-r10 None fixed
varnish 3.17-main 7.3.2-r0 Natanael Copa <ncopa@alpinelinux.org> fixed