Veracode Vulnerability DatabaseVERACODE:43799Denial Of Service (DoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.72 High
EPSS
Percentile
98.0%
Libraries that implement HTTP/2 are vulnerable to Denial Of Service (DoS). The vulnerability could be exploited by attackers via sending a large number of HTTP/2 requests to a vulnerable server, then canceling them, causing the server to consume excessive resources and become unavailable to legitimate users. This vulnerability is known as “Rapid Reset”.
References
www.openwall.com/lists/oss-security/2023/10/13/4
www.openwall.com/lists/oss-security/2023/10/13/9
www.openwall.com/lists/oss-security/2023/10/18/4
www.openwall.com/lists/oss-security/2023/10/18/8
www.openwall.com/lists/oss-security/2023/10/19/6
www.openwall.com/lists/oss-security/2023/10/20/8
access.redhat.com/security/cve/cve-2023-44487
arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
aws.amazon.com/security/security-bulletins/AWS-2023-011/
blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
blog.vespa.ai/cve-2023-44487/
bugzilla.proxmox.com/show_bug.cgi?id=4988
bugzilla.redhat.com/show_bug.cgi?id=2242803
bugzilla.suse.com/show_bug.cgi?id=1216123
cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715
edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
github.com/advisories/GHSA-qppj-fm5r-hxr3
github.com/advisories/GHSA-vx74-f528-fxqg
github.com/advisories/GHSA-xpw8-rcwv-8f8p
github.com/akka/akka-http/issues/4323
github.com/alibaba/tengine/issues/1872
github.com/apache/apisix/issues/10320
github.com/apache/httpd-site/pull/10
github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
github.com/apache/trafficserver/pull/10564
github.com/arkrwn/PoC/tree/main/CVE-2023-44487
github.com/Azure/AKS/issues/3947
github.com/bcdannyboy/CVE-2023-44487
github.com/caddyserver/caddy/issues/5877
github.com/caddyserver/caddy/releases/tag/v2.7.5
github.com/dotnet/announcements/issues/277
github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
github.com/eclipse/jetty.project/issues/10679
github.com/envoyproxy/envoy/pull/30055
github.com/etcd-io/etcd/issues/16740
github.com/facebook/proxygen/pull/466
github.com/golang/go/issues/63417
github.com/grpc/grpc-go/pull/6703
github.com/h2o/h2o/pull/3291
github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
github.com/haproxy/haproxy/issues/2312
github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
github.com/junkurihara/rust-rpxy/issues/97
github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
github.com/kazu-yamamoto/http2/issues/93
github.com/Kong/kong/discussions/11741
github.com/kubernetes/kubernetes/pull/121120
github.com/line/armeria/pull/5232
github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
github.com/micrictor/http2-rst-stream
github.com/microsoft/CBL-Mariner/pull/6381
github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832
github.com/nghttp2/nghttp2/pull/1961
github.com/nghttp2/nghttp2/releases/tag/v1.57.0
github.com/ninenines/cowboy/issues/1615
github.com/nodejs/node/pull/50121
github.com/openresty/openresty/issues/930
github.com/opensearch-project/data-prepper/issues/3474
github.com/oqtane/oqtane.framework/discussions/3367
github.com/projectcontour/contour/pull/5826
github.com/tempesta-tech/tempesta/issues/1986
github.com/varnishcache/varnish-cache/issues/3996
groups.google.com/g/golang-announce/c/iNNxDTCjZvo
istio.io/latest/news/security/istio-security-2023-004/
linkerd.io/2023/10/12/linkerd-cve-2023-44487/
lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
lists.debian.org/debian-lts-announce/2023/10/msg00020.html
lists.debian.org/debian-lts-announce/2023/10/msg00023.html
lists.debian.org/debian-lts-announce/2023/10/msg00024.html
lists.debian.org/debian-lts-announce/2023/10/msg00045.html
lists.debian.org/debian-lts-announce/2023/10/msg00047.html
lists.debian.org/debian-lts-announce/2023/11/msg00001.html
lists.debian.org/debian-lts-announce/2023/11/msg00012.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
lists.fedoraproject.org/archives/list/[email protected]/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/
lists.fedoraproject.org/archives/list/[email protected]/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/
lists.fedoraproject.org/archives/list/[email protected]/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/
lists.fedoraproject.org/archives/list/[email protected]/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/
lists.fedoraproject.org/archives/list/[email protected]/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/
lists.fedoraproject.org/archives/list/[email protected]/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/
lists.fedoraproject.org/archives/list/[email protected]/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/
lists.fedoraproject.org/archives/list/[email protected]/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/
lists.fedoraproject.org/archives/list/[email protected]/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/
lists.fedoraproject.org/archives/list/[email protected]/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/
lists.fedoraproject.org/archives/list/[email protected]/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/
lists.fedoraproject.org/archives/list/[email protected]/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/
lists.fedoraproject.org/archives/list/[email protected]/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/
lists.fedoraproject.org/archives/list/[email protected]/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/
lists.fedoraproject.org/archives/list/[email protected]/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/
lists.fedoraproject.org/archives/list/[email protected]/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/
lists.fedoraproject.org/archives/list/[email protected]/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/
lists.fedoraproject.org/archives/list/[email protected]/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/
lists.fedoraproject.org/archives/list/[email protected]/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/
lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
my.f5.com/manage/s/article/K000137106
netty.io/news/2023/10/10/4-1-100-Final.html
news.ycombinator.com/item?id=37830987
news.ycombinator.com/item?id=37830998
news.ycombinator.com/item?id=37831062
news.ycombinator.com/item?id=37837043
openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
security.gentoo.org/glsa/202311-09
security.netapp.com/advisory/ntap-20231016-0001/
security.netapp.com/advisory/ntap-20240426-0007/
security.paloaltonetworks.com/CVE-2023-44487
tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
ubuntu.com/security/CVE-2023-44487
www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
www.debian.org/security/2023/dsa-5521
www.debian.org/security/2023/dsa-5522
www.debian.org/security/2023/dsa-5540
www.debian.org/security/2023/dsa-5549
www.debian.org/security/2023/dsa-5558
www.debian.org/security/2023/dsa-5570
www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
www.openwall.com/lists/oss-security/2023/10/10/6
www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.72 High
EPSS
Percentile
98.0%