GHSA-xpw8-rcwv-8f8p
- Source
- https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-xpw8-rcwv-8f8p/GHSA-xpw8-rcwv-8f8p.json
- Aliases
-
- BIT-apisix-2023-44487
- BIT-aspnet-core-2023-44487
- BIT-contour-2023-44487
- BIT-dotnet-2023-44487
- BIT-dotnet-sdk-2023-44487
- BIT-envoy-2023-44487
- BIT-golang-2023-44487
- BIT-jenkins-2023-44487
- BIT-kong-2023-44487
- BIT-nginx-2023-44487
- BIT-nginx-ingress-controller-2023-44487
- BIT-node-2023-44487
- BIT-solr-2023-44487
- BIT-tomcat-2023-44487
- BIT-varnish-2023-44487
- CVE-2023-44487
- GHSA-2m7v-gc89-fjqf
- GHSA-qppj-fm5r-hxr3
- GHSA-vx74-f528-fxqg
- Published
- 2023-10-10T22:22:54Z
- Modified
- 2024-02-16T08:23:58.662031Z
- Summary
- io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack
- Details
-
A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack.
Impact
This is a DDOS attack, any http2 server is affected and so you should update as soon as possible.
Patches
This is patched in version 4.1.100.Final.
Workarounds
A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own
Http2FrameListenerimplementation or anChannelInboundHandlerimplementation (depending which http2 API is used).References
- https://www.cve.org/CVERecord?id=CVE-2023-44487
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- References
-
- https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3
- https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
- https://nvd.nist.gov/vuln/detail/CVE-2023-44487
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
- https://github.com/netty/netty
- https://www.cve.org/CVERecord?id=CVE-2023-44487
Affected packages
Maven / io.netty:netty-codec-http2
Package
- Name
- io.netty:netty-codec-http2
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0The exact introduced commit is unknownFixed4.1.100.Final
Affected versions
4.*
4.1.0.Beta4
4.1.0.Beta5
4.1.0.Beta6
4.1.0.Beta7
4.1.0.Beta8
4.1.0.CR1
4.1.0.CR2
4.1.0.CR3
4.1.0.CR4
4.1.0.CR5
4.1.0.CR6
4.1.0.CR7
4.1.0.Final
4.1.1.Final
4.1.2.Final
4.1.3.Final
4.1.4.Final
4.1.5.Final
4.1.6.Final
4.1.7.Final
4.1.8.Final
4.1.9.Final
4.1.10.Final
4.1.11.Final
4.1.12.Final
4.1.13.Final
4.1.14.Final
4.1.15.Final
4.1.16.Final
4.1.17.Final
4.1.18.Final
4.1.19.Final
4.1.20.Final
4.1.21.Final
4.1.22.Final
4.1.23.Final
4.1.24.Final
4.1.25.Final
4.1.26.Final
4.1.27.Final
4.1.28.Final
4.1.29.Final
4.1.30.Final
4.1.31.Final
4.1.32.Final
4.1.33.Final
4.1.34.Final
4.1.35.Final
4.1.36.Final
4.1.37.Final
4.1.38.Final
4.1.39.Final
4.1.40.Final
4.1.41.Final
4.1.42.Final
4.1.43.Final
4.1.44.Final
4.1.45.Final
4.1.46.Final
4.1.47.Final
4.1.48.Final
4.1.49.Final
4.1.50.Final
4.1.51.Final
4.1.52.Final
4.1.53.Final
4.1.54.Final
4.1.55.Final
4.1.56.Final
4.1.57.Final
4.1.58.Final
4.1.59.Final
4.1.60.Final
4.1.61.Final
4.1.62.Final
4.1.63.Final
4.1.64.Final
4.1.65.Final
4.1.66.Final
4.1.67.Final
4.1.68.Final
4.1.69.Final
4.1.70.Final
4.1.71.Final
4.1.72.Final
4.1.73.Final
4.1.74.Final
4.1.75.Final
4.1.76.Final
4.1.77.Final
4.1.78.Final
4.1.79.Final
4.1.80.Final
4.1.81.Final
4.1.82.Final
4.1.83.Final
4.1.84.Final
4.1.85.Final
4.1.86.Final
4.1.87.Final
4.1.88.Final
4.1.89.Final
4.1.90.Final
4.1.91.Final
4.1.92.Final
4.1.93.Final
4.1.94.Final
4.1.95.Final
4.1.96.Final
4.1.97.Final
4.1.98.Final
4.1.99.Final