High Threat Security Alert (A23-10-16): Vulnerability in HTTP/2 protocol


 

Published on: 16 October 2023

  
  

Description:

A vulnerability (CVE-2023-44487) was found in HTTP/2 protocol. A remote attacker could send the specially crafted requests to exploit the vulnerability in an attempt to carrying out distributed denial-of-service (DDoS) attacks as known as “Rapid Reset”.

Reports indicated a denial of service vulnerability (CVE-2023-44487) in HTTP/2 protocol is being exploited to carry out distributed denial-of-service (DDoS) attacks as known as “Rapid Reset”. System administrators are advised to take immediate action to patch your affected systems or follow the recommendations provided by the product vendors to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

  • Systems with HTTP/2 protocol enabled

 

Impact:

A successful attack could lead to denial of service on an affected system.

 

Recommendation:

An inexhaustive list of advisories published by product vendors is provided below. It is strongly recommended to consult product vendors if the used software products are affected and corresponding patches/mitigation measures are available. If so, system administrators should apply the patches when available or follow the recommendations provided by the product vendors to mitigate the risk.

  • Apache Tomcat
    https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94
    https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81
    https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
    https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12
  • Debian
    https://www.debian.org/security/2023/dsa-5521
    https://www.debian.org/security/2023/dsa-5522
  • F5
    https://my.f5.com/manage/s/article/K000137106
  • Microsoft
    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
  • Netscaler
    https://www.netscaler.com/blog/news/how-to-mitigate-the-http-2-rapid-reset-vulnerability-on-netscaler/
  • Nginx
    https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
  • Node.js
    https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
  • RedHat
    https://access.redhat.com/security/cve/CVE-2023-44487
  • SUSE
    https://www.suse.com/security/cve/CVE-2023-44487.html
  • Ubuntu
    https://ubuntu.com/security/CVE-2023-44487

 

More Information:

  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487
  • https://www.hkcert.org/security-bulletin/apache-tomcat-multiple-vulnerabilities_20231012
  • https://www.hkcert.org/security-bulletin/microsoft-monthly-security-update-october-2023
  • https://www.hkcert.org/security-bulletin/node-js-multiple-vulnerabilities_20231016


Tag: HTTP/2 , Linux , Microsoft , Apache , Tomcat , Debian , F5 , BIG-IP , Netscaler , NGINX , Windows , Windows Server , .NET , ASP.NET Core , Visual Studio , Node.js , RedHat , SUSE , Ubuntu
Tags