Lucene search

K
githubGitHub Advisory DatabaseGHSA-XPW8-RCWV-8F8P
HistoryOct 10, 2023 - 10:22 p.m.

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack

2023-10-1022:22:54
CWE-400
GitHub Advisory Database
github.com
62
io.netty netty-codec-http2 http/2 rapid reset attack ddos update version 4.1.100.final rst frames limit workaround mitigation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.708

Percentile

98.1%

A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack.

Impact

This is a DDOS attack, any http2 server is affected and so you should update as soon as possible.

Patches

This is patched in version 4.1.100.Final.

Workarounds

A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own Http2FrameListener implementation or an ChannelInboundHandler implementation (depending which http2 API is used).

References

Affected configurations

Vulners
Node
io.netty\nettyMatchcodec

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.708

Percentile

98.1%