K000137106 : HTTP/2 vulnerability CVE-2023-44487

Security Advisory Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487 also known as HTTP/2 Rapid Reset Attack)

Impact

BIG-IP and BIG-IP Next

This vulnerability allows a remote, unauthenticated attacker to cause an increase in CPU usage that can lead to a denial-of-service (DoS) on the BIG-IP system. There is no control plane exposure; this is a data plane issue only.

The default value for streams per connection is set to 10 because F5 had anticipated this type of flaw in the HTTP/2 protocol. This default value significantly reduces the potential for abuse when compared to having this setting at a higher value. F5 believes that the default settings are conservative enough to mitigate the impact of this attack technique for most customers and that customers are unlikely to need to reduce the setting from the default value.

When you use a BIG-IP virtual server with an HTTP/2 profile assigned, the default BIG-IP behavior prevents any exploit attempts from reaching the load balanced application. Because of this, BIG-IP WAF signatures are not needed to mitigate this type of attack.

When you use a BIG-IP FastL4 virtual server, or a Layer 7 virtual server with only a TCP profile and pass HTTP/2 traffic to pool members, the BIG-IP system has no visibility into the HTTP/2 traffic and cannot protect pool members from this attack. As detailed above, F5 recommends applying an HTTP/2 profile to allow the BIG-IP to protect pool members, the device itself, and provide visibility into the HTTP/2 traffic.

Important: To determine if you are being targeted by this type of attack, you can inspect the HTTP/2 profile statistics. For more information, refer to the Indicators of attack for BIG-IP systems section of this advisory.

NGINX Plus and OSS

The flood of requests triggered by an attacker may exhaust CPU resources available to NGINX worker processes. The impact of the attack will be significantly higher if the value of the keepalive_requests directive is set to a high value, for example, 100K or 1M. The recommended value is 1000, which is the default. For more information about the keepalive_requests directive, refer to keepalive_requests on the Module ngx_http_core_module page.

F5 Distributed Cloud

F5 Distributed Cloud is not vulnerable to this type of attack. If connections come only from F5 Regional Edge sites or from locally deployed Customer Edge sites to the backend, that backend is protected. Customer Edge sites must be updated to the latest version of crt-20231010-2541 in order to resolve the issue.