Ubuntu.comUB:CVE-2023-44487CVE-2023-44487
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.2 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.72 High
EPSS
Percentile
98.0%
The HTTP/2 protocol allows a denial of service (server resource
consumption) because request cancellation can reset many streams quickly,
as exploited in the wild in August through October 2023.
Bugs
Notes
| Author | Note |
|---|---|
| mdeslaur | The nginx developers do not consider nginx to be affected by this issue due to the default configuration restricting the number of requests per connectiong (keepalive_requests). They did provide a patch to harden nginx even further in environments where the default are substantially modified. haproxy was fixed in 2018 by the commit listed below Debian’s tomcat9 update caused a regression, investigate before fixing tomcat packages. |
| ccdm94 | see https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html for more information on nginx developer’s position regarding this CVE. |
| 0xnishit | for golang-1.21 and 1.20, it is same patch as CVE-2023-39325 |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 22.04 | noarch | dotnet6 | < 6.0.123-0ubuntu1~22.04.1 | UNKNOWN |
| ubuntu | 23.04 | noarch | dotnet6 | < 6.0.123-0ubuntu1~23.04.1 | UNKNOWN |
| ubuntu | 23.10 | noarch | dotnet6 | < 6.0.123-0ubuntu1 | UNKNOWN |
| ubuntu | 22.04 | noarch | dotnet7 | < 7.0.112-0ubuntu1~22.04.1 | UNKNOWN |
| ubuntu | 23.04 | noarch | dotnet7 | < 7.0.112-0ubuntu1~23.04.1 | UNKNOWN |
| ubuntu | 23.10 | noarch | dotnet7 | < 7.0.112-0ubuntu1 | UNKNOWN |
| ubuntu | 23.10 | noarch | dotnet8 | < 8.0.100-8.0.0~rc2-0ubuntu1 | UNKNOWN |
| ubuntu | 24.04 | noarch | dotnet8 | < 8.0.100-8.0.0-0ubuntu1 | UNKNOWN |
| ubuntu | 18.04 | noarch | golang-1.10 | < any | UNKNOWN |
| ubuntu | 14.04 | noarch | golang-1.10 | < any | UNKNOWN |
References
blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
devblogs.microsoft.com/dotnet/october-2023-updates/
github.com/nghttp2/nghttp2/releases/tag/v1.57.0
groups.google.com/g/golang-announce/c/iNNxDTCjZvo
launchpad.net/bugs/cve/CVE-2023-44487
mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
my.f5.com/manage/s/article/K000137106
nodejs.org/en/blog/vulnerability/october-2023-security-releases
nvd.nist.gov/vuln/detail/CVE-2023-44487
security-tracker.debian.org/tracker/CVE-2023-44487
ubuntu.com/security/notices/USN-6427-1
ubuntu.com/security/notices/USN-6427-2
ubuntu.com/security/notices/USN-6438-1
ubuntu.com/security/notices/USN-6505-1
ubuntu.com/security/notices/USN-6574-1
ubuntu.com/security/notices/USN-6754-1
www.cve.org/CVERecord?id=CVE-2023-44487
www.mail-archive.com/[email protected]/msg44134.html
www.mail-archive.com/[email protected]/msg44134.html
www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.2 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.72 High
EPSS
Percentile
98.0%