CVE-2023-44487
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-44487
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-44487.json
- Aliases
-
- BIT-apisix-2023-44487
- BIT-aspnet-core-2023-44487
- BIT-contour-2023-44487
- BIT-dotnet-2023-44487
- BIT-dotnet-sdk-2023-44487
- BIT-envoy-2023-44487
- BIT-golang-2023-44487
- BIT-jenkins-2023-44487
- BIT-kong-2023-44487
- BIT-nginx-2023-44487
- BIT-nginx-ingress-controller-2023-44487
- BIT-node-2023-44487
- BIT-solr-2023-44487
- BIT-tomcat-2023-44487
- BIT-varnish-2023-44487
- GHSA-2m7v-gc89-fjqf
- GHSA-qppj-fm5r-hxr3
- GHSA-vx74-f528-fxqg
- GHSA-xpw8-rcwv-8f8p
- Related
-
- ALSA-2023:5708
- ALSA-2023:5709
- ALSA-2023:5710
- ALSA-2023:5711
- ALSA-2023:5712
- ALSA-2023:5713
- ALSA-2023:5721
- ALSA-2023:5738
- ALSA-2023:5749
- ALSA-2023:5765
- ALSA-2023:5837
- ALSA-2023:5838
- ALSA-2023:5849
- ALSA-2023:5850
- ALSA-2023:5863
- ALSA-2023:5867
- ALSA-2023:5869
- ALSA-2023:5924
- ALSA-2023:5928
- ALSA-2023:5929
- ALSA-2023:5989
- ALSA-2023:6120
- ALSA-2023:6746
- ALSA-2023:7205
- ALSA-2024:1444
- ALSA-2024:2368
- DLA-3617-1
- DLA-3621-1
- DLA-3638-1
- DLA-3641-1
- DLA-3645-1
- DLA-3656-1
- DSA-5521-1
- DSA-5522-1
- DSA-5540-1
- DSA-5549-1
- DSA-5558-1
- DSA-5570-1
- GO-2023-2102
- GO-2023-2153
- RLSA-2023:5708
- RLSA-2023:5721
- RLSA-2023:5738
- RLSA-2023:5749
- RLSA-2023:5765
- RLSA-2023:5838
- RLSA-2023:5850
- RLSA-2023:5863
- RLSA-2023:5924
- RLSA-2023:5928
- RLSA-2023:5989
- RLSA-2023:6077
- RLSA-2023:6120
- RLSA-2023:6746
- RLSA-2023:6818
- RLSA-2023:7205
- RLSA-2024:1444
- USN-6427-1
- USN-6427-2
- USN-6438-1
- USN-6505-1
- USN-6574-1
- USN-6754-1
- Published
- 2023-10-10T14:15:00Z
- Modified
- 2023-12-06T01:03:14.681524Z
- Summary
- [none]
- Details
-
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- References
-
- https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
- https://news.ycombinator.com/item?id=37831062
- https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://github.com/bcdannyboy/CVE-2023-44487
- https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
- https://github.com/eclipse/jetty.project/issues/10679
- https://github.com/alibaba/tengine/issues/1872
- https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
- https://github.com/nghttp2/nghttp2/pull/1961
- https://news.ycombinator.com/item?id=37830987
- https://news.ycombinator.com/item?id=37830998
- https://github.com/envoyproxy/envoy/pull/30055
- https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
- https://github.com/caddyserver/caddy/issues/5877
- https://github.com/haproxy/haproxy/issues/2312
- https://github.com/grpc/grpc-go/pull/6703
- https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
- https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- https://my.f5.com/manage/s/article/K000137106
- https://bugzilla.proxmox.com/show_bug.cgi?id=4988
- https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
- https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
- https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
- https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
- https://github.com/micrictor/http2-rst-stream
- https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
- https://github.com/dotnet/announcements/issues/277
- https://github.com/apache/trafficserver/pull/10564
- https://github.com/facebook/proxygen/pull/466
- https://github.com/microsoft/CBL-Mariner/pull/6381
- https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
- https://github.com/nodejs/node/pull/50121
- https://github.com/h2o/h2o/pull/3291
- https://github.com/advisories/GHSA-vx74-f528-fxqg
- https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
- https://github.com/golang/go/issues/63417
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
- https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
- https://www.openwall.com/lists/oss-security/2023/10/10/6
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
- https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
- https://github.com/kubernetes/kubernetes/pull/121120
- https://github.com/oqtane/oqtane.framework/discussions/3367
- https://github.com/opensearch-project/data-prepper/issues/3474
- https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
- https://netty.io/news/2023/10/10/4-1-100-Final.html
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
- https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
- https://news.ycombinator.com/item?id=37837043
- https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
- https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
- https://github.com/kazu-yamamoto/http2/issues/93
- https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
- https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
- https://www.debian.org/security/2023/dsa-5522
- https://www.debian.org/security/2023/dsa-5521
Affected packages
Alpine:v3.17 / nghttp2
Package
- Name
- nghttp2
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0The exact introduced commit is unknownFixed1.51.0-r2
Affected versions
1.*
1.2.0-r0
1.3.0-r0
1.3.2-r0
1.3.4-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.1-r0
1.8.0-r0
1.9.1-r0
1.9.2-r0
1.10.0-r0
1.11.0-r0
1.11.1-r0
1.12.0-r0
1.13.0-r0
1.14.0-r0
1.14.1-r0
1.15.0-r0
1.15.0-r1
1.16.0-r0
1.16.1-r0
1.17.0-r0
1.18.0-r0
1.18.0-r1
1.18.1-r0
1.20.0-r0
1.21.0-r0
1.21.1-r0
1.21.1-r1
1.22.0-r0
1.23.1-r0
1.24.0-r0
1.25.0-r0
1.26.0-r0
1.27.0-r0
1.27.0-r1
1.28.0-r0
1.29.0-r0
1.30.0-r0
1.31.0-r0
1.31.0-r1
1.31.1-r0
1.32.0-r0
1.33.0-r0
1.33.0-r1
1.34.0-r0
1.35.1-r0
1.36.0-r0
1.37.0-r0
1.37.0-r1
1.38.0-r0
1.39.1-r0
1.39.2-r0
1.39.2-r1
1.39.2-r2
1.40.0-r0
1.41.0-r0
1.42.0-r0
1.42.0-r1
1.43.0-r0
1.44.0-r0
1.44.0-r1
1.44.0-r2
1.46.0-r0
1.47.0-r0
1.48.0-r0
1.48.0-r1
1.49.0-r1
1.50.0-r1
1.51.0-r1
Alpine:v3.18 / nghttp2
Package
- Name
- nghttp2
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0The exact introduced commit is unknownFixed1.57.0-r0
Affected versions
1.*
1.2.0-r0
1.3.0-r0
1.3.2-r0
1.3.4-r0
1.5.0-r0
1.6.0-r0
1.7.0-r0
1.7.1-r0
1.8.0-r0
1.9.1-r0
1.9.2-r0
1.10.0-r0
1.11.0-r0
1.11.1-r0
1.12.0-r0
1.13.0-r0
1.14.0-r0
1.14.1-r0
1.15.0-r0
1.15.0-r1
1.16.0-r0
1.16.1-r0
1.17.0-r0
1.18.0-r0
1.18.0-r1
1.18.1-r0
1.20.0-r0
1.21.0-r0
1.21.1-r0
1.21.1-r1
1.22.0-r0
1.23.1-r0
1.24.0-r0
1.25.0-r0
1.26.0-r0
1.27.0-r0
1.27.0-r1
1.28.0-r0
1.29.0-r0
1.30.0-r0
1.31.0-r0
1.31.0-r1
1.31.1-r0
1.32.0-r0
1.33.0-r0
1.33.0-r1
1.34.0-r0
1.35.1-r0
1.36.0-r0
1.37.0-r0
1.37.0-r1
1.38.0-r0
1.39.1-r0
1.39.2-r0
1.39.2-r1
1.39.2-r2
1.40.0-r0
1.41.0-r0
1.42.0-r0
1.42.0-r1
1.43.0-r0
1.44.0-r0
1.44.0-r1
1.44.0-r2
1.46.0-r0
1.47.0-r0
1.48.0-r0
1.48.0-r1
1.49.0-r0
1.50.0-r0
1.51.0-r0
1.52.0-r0
1.52.0-r1
1.53.0-r1
1.55.1-r1