You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Vulnerability Details
rpxyjunkurihara/rust-rpxy#97, kazu-yamamoto/http2@f61d41a, Does this recent http2 CVE affect this package? kazu-yamamoto/http2#93, Prevent rapid reset http2 DOS on API server kubernetes/kubernetes#121120, Limit max reset frames to mitigate HTTP/2 RST floods line/armeria#5232, linkerd/website@4b9c683, https://github.com/micrictor/http2-rst-stream, Fix for nginx and golang for CVE-2023-44487 microsoft/azurelinux#6381, netty/netty@58f75f6, Rework session management nghttp2/nghttp2#1961, https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0, Is Cowboy affected by the HTTP/2 Rapid Reset attack? ninenines/cowboy#1615, deps: update nghttp2 to 1.57.0 nodejs/node#50121, CVE-2023-44487 issue/fix? openresty/openresty#930, CVE-2023-44487 (High) detected in multiple libraries opensearch-project/data-prepper#3474, .NET 7 security vulernability Kestrel Server HTTP/2 oqtane/oqtane.framework#3367, Set stream limits for HTTP2 protocol - CVE CVE-2023-44487 projectcontour/contour#5826, HTTP/2 Rapid Reset DDoS Mitigaton tempesta-tech/tempesta#1986, Handling of CVE-2023-44487 / HTTP2 Rapid Reset varnishcache/varnish-cache#3996, https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo, https://istio.io/latest/news/security/istio-security-2023-004/, https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/, https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q, https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html, https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html, https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html, https://lists.fedoraproject.org/archives/list/[email protected]/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/, https://lists.fedoraproject.org/archives/list/[email protected]/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/, https://lists.fedoraproject.org/archives/list/[email protected]/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/, https://lists.fedoraproject.org/archives/list/[email protected]/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/, https://lists.fedoraproject.org/archives/list/[email protected]/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/, https://lists.fedoraproject.org/archives/list/[email protected]/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/, https://lists.fedoraproject.org/archives/list/[email protected]/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/, https://lists.fedoraproject.org/archives/list/[email protected]/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/, https://lists.fedoraproject.org/archives/list/[email protected]/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/, https://lists.fedoraproject.org/archives/list/[email protected]/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/, https://lists.fedoraproject.org/archives/list/[email protected]/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/, https://lists.fedoraproject.org/archives/list/[email protected]/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/, https://lists.fedoraproject.org/archives/list/[email protected]/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/, https://lists.fedoraproject.org/archives/list/[email protected]/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/, https://lists.fedoraproject.org/archives/list/[email protected]/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/, https://lists.fedoraproject.org/archives/list/[email protected]/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/, https://lists.fedoraproject.org/archives/list/[email protected]/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/, https://lists.fedoraproject.org/archives/list/[email protected]/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/, https://lists.fedoraproject.org/archives/list/[email protected]/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/, https://lists.fedoraproject.org/archives/list/[email protected]/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/, https://lists.fedoraproject.org/archives/list/[email protected]/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/, https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html, https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html, https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html, https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487, https://my.f5.com/manage/s/article/K000137106, https://netty.io/news/2023/10/10/4-1-100-Final.html, https://news.ycombinator.com/item?id=37830987, https://news.ycombinator.com/item?id=37830998, https://news.ycombinator.com/item?id=37831062, https://news.ycombinator.com/item?id=37837043, https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/, https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected, https://security.gentoo.org/glsa/202311-09, https://security.netapp.com/advisory/ntap-20231016-0001/, https://security.netapp.com/advisory/ntap-20240426-0007/, https://security.netapp.com/advisory/ntap-20240621-0006/, https://security.netapp.com/advisory/ntap-20240621-0007/, https://security.paloaltonetworks.com/CVE-2023-44487, https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14, https://ubuntu.com/security/CVE-2023-44487, https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/, https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487, https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event, https://www.debian.org/security/2023/dsa-5521, https://www.debian.org/security/2023/dsa-5522, https://www.debian.org/security/2023/dsa-5540, https://www.debian.org/security/2023/dsa-5549, https://www.debian.org/security/2023/dsa-5558, https://www.debian.org/security/2023/dsa-5570, https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487, https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/, https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/, https://www.openwall.com/lists/oss-security/2023/10/10/6, https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack, https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/, http://www.openwall.com/lists/oss-security/2023/10/13/4, http://www.openwall.com/lists/oss-security/2023/10/13/9, http://www.openwall.com/lists/oss-security/2023/10/18/4, http://www.openwall.com/lists/oss-security/2023/10/18/8, http://www.openwall.com/lists/oss-security/2023/10/19/6, http://www.openwall.com/lists/oss-security/2023/10/20/8, https://access.redhat.com/security/cve/cve-2023-44487, https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/, https://aws.amazon.com/security/security-bulletins/AWS-2023-011/, https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/, https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/, https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/, https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack, https://blog.vespa.ai/cve-2023-44487/, https://bugzilla.proxmox.com/show_bug.cgi?id=4988, https://bugzilla.redhat.com/show_bug.cgi?id=2242803, https://bugzilla.suse.com/show_bug.cgi?id=1216123, https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9, https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/, https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack, https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125, https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715, https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve, https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764, https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088, CVE-2023-44487: Distributed Denial of Service (DDoS) Attacks against HTTP/2 Azure/AKS#3947, HTTP2 Rapid Reset - CVE-2023-44487 Kong/kong#11741, GHSA-qppj-fm5r-hxr3, GHSA-vx74-f528-fxqg, GHSA-xpw8-rcwv-8f8p, CVE-2023-44487 akka/akka-http#4323, CVE-2023-44487: HTTP/2 Rapid Reset Attack alibaba/tengine#1872, help request: What's the action for CVE-2023-44487 ? apache/apisix#10320, Document non-impact of CVE-2023-44487 apache/httpd-site#10, https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113, https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2, Add an HTTP/2 related rate limiting apache/trafficserver#10564, https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487, https://github.com/bcdannyboy/CVE-2023-44487, HTTP/2 Rapid Reset : CVE-2023-44487 caddyserver/caddy#5877, https://github.com/caddyserver/caddy/releases/tag/v2.7.5, Microsoft Security Advisory CVE-2023-44487: .NET Denial of Service Vulnerability dotnet/announcements#277, https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73, Allow HTTP/2 rate control to mitigate HTTP/2 floods (CVE-2023-44487) jetty/jetty.project#10679, http: Fix CVE CVE-2023-44487 envoyproxy/envoy#30055, Resolve CVE-2023-44487 etcd-io/etcd#16740, Re-sync with internal repository following CVE-2023-44487 facebook/proxygen#466, net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325) golang/go#63417, server: prohibit more than MaxConcurrentStreams handlers from running at once grpc/grpc-go#6703, [http2] rapid reset attack h2o/h2o#3291, GHSA-2m7v-gc89-fjqf, H2 rapid reset aka CVE-2023-44487 haproxy/haproxy#2312, https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244, [Announcement] CVE-2023-44487 (HTTP/2 Rapid Reset Attack) does not affectrpxyjunkurihara/rust-rpxy#97, kazu-yamamoto/http2@f61d41a, Does this recent http2 CVE affect this package? kazu-yamamoto/http2#93, Prevent rapid reset http2 DOS on API server kubernetes/kubernetes#121120, Limit max reset frames to mitigate HTTP/2 RST floods line/armeria#5232, linkerd/website@4b9c683, https://github.com/micrictor/http2-rst-stream, Fix for nginx and golang for CVE-2023-44487 microsoft/azurelinux#6381, netty/netty@58f75f6, Rework session management nghttp2/nghttp2#1961, https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0, Is Cowboy affected by the HTTP/2 Rapid Reset attack? ninenines/cowboy#1615, deps: update nghttp2 to 1.57.0 nodejs/node#50121, CVE-2023-44487 issue/fix? openresty/openresty#930, CVE-2023-44487 (High) detected in multiple libraries opensearch-project/data-prepper#3474, .NET 7 security vulernability Kestrel Server HTTP/2 oqtane/oqtane.framework#3367, Set stream limits for HTTP2 protocol - CVE CVE-2023-44487 projectcontour/contour#5826, HTTP/2 Rapid Reset DDoS Mitigaton tempesta-tech/tempesta#1986, Handling of CVE-2023-44487 / HTTP2 Rapid Reset varnishcache/varnish-cache#3996, https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo, https://istio.io/latest/news/security/istio-security-2023-004/, https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/, https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q, https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html, https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html, https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html, https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/, https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/, https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html, https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html, https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html, https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487, https://my.f5.com/manage/s/article/K000137106, https://netty.io/news/2023/10/10/4-1-100-Final.html, https://news.ycombinator.com/item?id=37830987, https://news.ycombinator.com/item?id=37830998, https://news.ycombinator.com/item?id=37831062, https://news.ycombinator.com/item?id=37837043, https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/, https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected, https://security.gentoo.org/glsa/202311-09, https://security.netapp.com/advisory/ntap-20231016-0001/, https://security.netapp.com/advisory/ntap-20240426-0007/, https://security.netapp.com/advisory/ntap-20240621-0006/, https://security.netapp.com/advisory/ntap-20240621-0007/, https://security.paloaltonetworks.com/CVE-2023-44487, https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14, https://ubuntu.com/security/CVE-2023-44487, https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/, https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487, https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event, https://www.debian.org/security/2023/dsa-5521, https://www.debian.org/security/2023/dsa-5522, https://www.debian.org/security/2023/dsa-5540, https://www.debian.org/security/2023/dsa-5549, https://www.debian.org/security/2023/dsa-5558, https://www.debian.org/security/2023/dsa-5570, https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487, https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/, https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/, https://www.openwall.com/lists/oss-security/2023/10/10/6, https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack, https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/, https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-causeThis vulnerability was detected during the periodic CVE scan.
The text was updated successfully, but these errors were encountered: