Lucene search

GoogleOSV:BIT-ENVOY-2023-44487

HistoryMar 06, 2024 - 10:52 a.m.

BIT-envoy-2023-44487

2024-03-0610:52:27

Google

osv.dev

http/2 protocol

denial of service

server resource consumption

request cancellation

stream reset

software vulnerability

exploitation

2023

7.1 High

AI Score

Confidence

High

0.72 High

EPSS

Percentile

98.0%

JSON

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CPENameOperatorVersion
envoyge1.27.0
envoyge1.26.4
envoyle1.24.10
envoyle1.26.4
envoyle1.27.0
envoyge1.25.9
envoyle1.25.9
envoyge1.24.10

Name	Operator	Version
envoy	ge	1.27.0
envoy	ge	1.26.4
envoy	le	1.24.10
envoy	le	1.26.4
envoy	le	1.27.0
envoy	ge	1.25.9
envoy	le	1.25.9
envoy	ge	1.24.10

References

www.openwall.com/lists/oss-security/2023/10/13/4

www.openwall.com/lists/oss-security/2023/10/13/9

www.openwall.com/lists/oss-security/2023/10/18/4

www.openwall.com/lists/oss-security/2023/10/18/8

www.openwall.com/lists/oss-security/2023/10/19/6

www.openwall.com/lists/oss-security/2023/10/20/8

access.redhat.com/security/cve/cve-2023-44487

arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/

aws.amazon.com/security/security-bulletins/AWS-2023-011/

blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/

blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/

blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack

blog.vespa.ai/cve-2023-44487/

bugzilla.proxmox.com/show_bug.cgi?id=4988

bugzilla.redhat.com/show_bug.cgi?id=2242803

bugzilla.suse.com/show_bug.cgi?id=1216123

cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9

cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/

cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack

community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125

discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715

edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve

forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764

gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088

github.com/advisories/GHSA-qppj-fm5r-hxr3

github.com/advisories/GHSA-vx74-f528-fxqg

github.com/advisories/GHSA-xpw8-rcwv-8f8p

github.com/akka/akka-http/issues/4323

github.com/alibaba/tengine/issues/1872

github.com/apache/apisix/issues/10320

github.com/apache/httpd-site/pull/10

github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113

github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2

github.com/apache/trafficserver/pull/10564

github.com/arkrwn/PoC/tree/main/CVE-2023-44487

github.com/Azure/AKS/issues/3947

github.com/bcdannyboy/CVE-2023-44487

github.com/caddyserver/caddy/issues/5877

github.com/caddyserver/caddy/releases/tag/v2.7.5

github.com/dotnet/announcements/issues/277

github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73

github.com/eclipse/jetty.project/issues/10679

github.com/envoyproxy/envoy/pull/30055

github.com/etcd-io/etcd/issues/16740

github.com/facebook/proxygen/pull/466

github.com/golang/go/issues/63417

github.com/grpc/grpc-go/pull/6703

github.com/h2o/h2o/pull/3291

github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf

github.com/haproxy/haproxy/issues/2312

github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244

github.com/junkurihara/rust-rpxy/issues/97

github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1

github.com/kazu-yamamoto/http2/issues/93

github.com/Kong/kong/discussions/11741

github.com/kubernetes/kubernetes/pull/121120

github.com/line/armeria/pull/5232

github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632

github.com/micrictor/http2-rst-stream

github.com/microsoft/CBL-Mariner/pull/6381

github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61

github.com/nghttp2/nghttp2/pull/1961

github.com/nghttp2/nghttp2/releases/tag/v1.57.0

github.com/ninenines/cowboy/issues/1615

github.com/nodejs/node/pull/50121

github.com/openresty/openresty/issues/930

github.com/opensearch-project/data-prepper/issues/3474

github.com/oqtane/oqtane.framework/discussions/3367

github.com/projectcontour/contour/pull/5826

github.com/tempesta-tech/tempesta/issues/1986

github.com/varnishcache/varnish-cache/issues/3996

groups.google.com/g/golang-announce/c/iNNxDTCjZvo

istio.io/latest/news/security/istio-security-2023-004/

linkerd.io/2023/10/12/linkerd-cve-2023-44487/

lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q

lists.debian.org/debian-lts-announce/2023/10/msg00020.html

lists.debian.org/debian-lts-announce/2023/10/msg00023.html

lists.debian.org/debian-lts-announce/2023/10/msg00024.html

lists.debian.org/debian-lts-announce/2023/10/msg00045.html

lists.debian.org/debian-lts-announce/2023/10/msg00047.html

lists.debian.org/debian-lts-announce/2023/11/msg00001.html

lists.debian.org/debian-lts-announce/2023/11/msg00012.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/

lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html

mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html

martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html

msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/

msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487

my.f5.com/manage/s/article/K000137106

netty.io/news/2023/10/10/4-1-100-Final.html

news.ycombinator.com/item?id=37830987

news.ycombinator.com/item?id=37830998

news.ycombinator.com/item?id=37831062

news.ycombinator.com/item?id=37837043

openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/

seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected

security.gentoo.org/glsa/202311-09

security.netapp.com/advisory/ntap-20231016-0001/

security.netapp.com/advisory/ntap-20240426-0007/

security.paloaltonetworks.com/CVE-2023-44487

tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14

ubuntu.com/security/CVE-2023-44487

www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/

www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487

www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event

www.debian.org/security/2023/dsa-5521

www.debian.org/security/2023/dsa-5522

www.debian.org/security/2023/dsa-5540

www.debian.org/security/2023/dsa-5549

www.debian.org/security/2023/dsa-5558

www.debian.org/security/2023/dsa-5570

www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487

www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/

www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

www.openwall.com/lists/oss-security/2023/10/10/6

www.phoronix.com/news/HTTP2-Rapid-Reset-Attack

www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/