GitHub Advisory DatabaseGHSA-QPPJ-FM5R-HXR3HTTP/2 Stream Cancellation Attack
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.2 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.72 High
EPSS
Percentile
98.0%
HTTP/2 Rapid reset attack
The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.
Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open.
The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.
The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.
In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.
Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the swift-nio-http2 repo advisory and their original conent follows.
swift-nio-http2 specific advisory
swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new Channels to serve the traffic. This can easily overwhelm an EventLoop and prevent it from making forward progress.
swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.
References
www.openwall.com/lists/oss-security/2023/10/13/4
www.openwall.com/lists/oss-security/2023/10/13/9
www.openwall.com/lists/oss-security/2023/10/18/4
www.openwall.com/lists/oss-security/2023/10/18/8
www.openwall.com/lists/oss-security/2023/10/19/6
www.openwall.com/lists/oss-security/2023/10/20/8
access.redhat.com/security/cve/cve-2023-44487
akka.io/security/akka-http-cve-2023-44487.html
arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size
aws.amazon.com/security/security-bulletins/AWS-2023-011
blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack
blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack
blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty
blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
blog.vespa.ai/cve-2023-44487
bugzilla.proxmox.com/show_bug.cgi?id=4988
bugzilla.redhat.com/show_bug.cgi?id=2242803
bugzilla.suse.com/show_bug.cgi?id=1216123
cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
chaos.social/@icing/111210915918780532
cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps
cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
github.com/advisories/GHSA-qppj-fm5r-hxr3
github.com/advisories/GHSA-vx74-f528-fxqg
github.com/advisories/GHSA-xpw8-rcwv-8f8p
github.com/akka/akka-http/issues/4323
github.com/akka/akka-http/pull/4324
github.com/akka/akka-http/pull/4325
github.com/alibaba/tengine/issues/1872
github.com/apache/apisix/issues/10320
github.com/apache/httpd-site/pull/10
github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
github.com/apache/trafficserver/pull/10564
github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3
github.com/arkrwn/PoC/tree/main/CVE-2023-44487
github.com/Azure/AKS/issues/3947
github.com/bcdannyboy/CVE-2023-44487
github.com/caddyserver/caddy/issues/5877
github.com/caddyserver/caddy/releases/tag/v2.7.5
github.com/dotnet/announcements/issues/277
github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
github.com/eclipse/jetty.project/issues/10679
github.com/envoyproxy/envoy/pull/30055
github.com/etcd-io/etcd/issues/16740
github.com/facebook/proxygen/pull/466
github.com/golang/go/issues/63417
github.com/grpc/grpc-go/pull/6703
github.com/grpc/grpc-go/releases
github.com/h2o/h2o/pull/3291
github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
github.com/haproxy/haproxy/issues/2312
github.com/hyperium/hyper/issues/3337
github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
github.com/junkurihara/rust-rpxy/issues/97
github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
github.com/kazu-yamamoto/http2/issues/93
github.com/Kong/kong/discussions/11741
github.com/kubernetes/kubernetes/pull/121120
github.com/line/armeria/pull/5232
github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
github.com/micrictor/http2-rst-stream
github.com/microsoft/CBL-Mariner/pull/6381
github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
github.com/nghttp2/nghttp2/pull/1961
github.com/nghttp2/nghttp2/releases/tag/v1.57.0
github.com/ninenines/cowboy/issues/1615
github.com/nodejs/node/pull/50121
github.com/openresty/openresty/issues/930
github.com/opensearch-project/data-prepper/issues/3474
github.com/oqtane/oqtane.framework/discussions/3367
github.com/projectcontour/contour/pull/5826
github.com/tempesta-tech/tempesta/issues/1986
github.com/varnishcache/varnish-cache/issues/3996
go.dev/cl/534215
go.dev/cl/534235
go.dev/issue/63417
groups.google.com/g/golang-announce/c/iNNxDTCjZvo
groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ
istio.io/latest/news/security/istio-security-2023-004
linkerd.io/2023/10/12/linkerd-cve-2023-44487
lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
lists.debian.org/debian-lts-announce/2023/10/msg00020.html
lists.debian.org/debian-lts-announce/2023/10/msg00023.html
lists.debian.org/debian-lts-announce/2023/10/msg00024.html
lists.debian.org/debian-lts-announce/2023/10/msg00045.html
lists.debian.org/debian-lts-announce/2023/10/msg00047.html
lists.debian.org/debian-lts-announce/2023/11/msg00001.html
lists.debian.org/debian-lts-announce/2023/11/msg00012.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4
lists.fedoraproject.org/archives/list/[email protected]/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A
lists.fedoraproject.org/archives/list/[email protected]/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ
lists.fedoraproject.org/archives/list/[email protected]/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2
lists.fedoraproject.org/archives/list/[email protected]/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5
lists.fedoraproject.org/archives/list/[email protected]/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU
lists.fedoraproject.org/archives/list/[email protected]/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ
lists.fedoraproject.org/archives/list/[email protected]/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ
lists.fedoraproject.org/archives/list/[email protected]/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY
lists.fedoraproject.org/archives/list/[email protected]/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE
lists.fedoraproject.org/archives/list/[email protected]/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG
lists.fedoraproject.org/archives/list/[email protected]/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL
lists.fedoraproject.org/archives/list/[email protected]/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU
lists.fedoraproject.org/archives/list/[email protected]/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK
lists.fedoraproject.org/archives/list/[email protected]/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH
lists.fedoraproject.org/archives/list/[email protected]/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y
lists.fedoraproject.org/archives/list/[email protected]/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2
lists.fedoraproject.org/archives/list/[email protected]/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT
lists.fedoraproject.org/archives/list/[email protected]/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3
lists.fedoraproject.org/archives/list/[email protected]/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4
lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2
msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
my.f5.com/manage/s/article/K000137106
netty.io/news/2023/10/10/4-1-100-Final.html
news.ycombinator.com/item?id=37830987
news.ycombinator.com/item?id=37830998
news.ycombinator.com/item?id=37831062
news.ycombinator.com/item?id=37837043
nvd.nist.gov/vuln/detail/CVE-2023-44487
openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response
seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
security.gentoo.org/glsa/202311-09
security.netapp.com/advisory/ntap-20231016-0001
security.netapp.com/advisory/ntap-20240426-0007
security.paloaltonetworks.com/CVE-2023-44487
tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12
tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94
tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81
ubuntu.com/security/CVE-2023-44487
www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records
www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
www.debian.org/security/2023/dsa-5521
www.debian.org/security/2023/dsa-5522
www.debian.org/security/2023/dsa-5540
www.debian.org/security/2023/dsa-5549
www.debian.org/security/2023/dsa-5558
www.debian.org/security/2023/dsa-5570
www.eclipse.org/lists/jetty-announce/msg00181.html
www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487
www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products
www.openwall.com/lists/oss-security/2023/10/10/6
www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
www.theregister.com/2023/10/10/http2_rapid_reset_zeroday
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.2 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.72 High
EPSS
Percentile
98.0%