Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2023-44487

Disclosure Date: October 10, 2023
CVE-2023-44487 CVSS v3 Base Score: 7.5
Exploited in the Wild
Reported by inokii
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • akka,
  • amazon,
  • apache,
  • apple,
  • caddyserver,
  • cisco,
  • debian,
  • dena,
  • eclipse,
  • envoyproxy,
  • f5,
  • facebook,
  • fedoraproject,
  • golang,
  • grpc,
  • ietf,
  • istio,
  • jenkins,
  • kazu-yamamoto,
  • konghq,
  • linecorp,
  • linkerd,
  • microsoft,
  • netapp,
  • netty,
  • nghttp2,
  • nodejs,
  • openresty,
  • projectcontour,
  • redhat,
  • traefik,
  • varnish cache project

Products

  • .net,
  • 3scale api management platform 2.0,
  • advanced cluster management for kubernetes 2.0,
  • advanced cluster security 3.0,
  • advanced cluster security 4.0,
  • ansible automation platform 2.0,
  • apisix,
  • armeria,
  • asp.net core,
  • astra control center -,
  • azure kubernetes service,
  • big-ip access policy manager,
  • big-ip access policy manager 17.1.0,
  • big-ip advanced firewall manager,
  • big-ip advanced firewall manager 17.1.0,
  • big-ip advanced web application firewall,
  • big-ip advanced web application firewall 17.1.0,
  • big-ip analytics,
  • big-ip analytics 17.1.0,
  • big-ip application acceleration manager,
  • big-ip application acceleration manager 17.1.0,
  • big-ip application security manager,
  • big-ip application security manager 17.1.0,
  • big-ip application visibility and reporting,
  • big-ip application visibility and reporting 17.1.0,
  • big-ip carrier-grade nat,
  • big-ip carrier-grade nat 17.1.0,
  • big-ip ddos hybrid defender,
  • big-ip ddos hybrid defender 17.1.0,
  • big-ip domain name system,
  • big-ip domain name system 17.1.0,
  • big-ip fraud protection service,
  • big-ip fraud protection service 17.1.0,
  • big-ip global traffic manager,
  • big-ip global traffic manager 17.1.0,
  • big-ip link controller,
  • big-ip link controller 17.1.0,
  • big-ip local traffic manager,
  • big-ip local traffic manager 17.1.0,
  • big-ip next 20.0.1,
  • big-ip next service proxy for kubernetes,
  • big-ip policy enforcement manager,
  • big-ip policy enforcement manager 17.1.0,
  • big-ip ssl orchestrator,
  • big-ip ssl orchestrator 17.1.0,
  • big-ip webaccelerator,
  • big-ip webaccelerator 17.1.0,
  • big-ip websafe,
  • big-ip websafe 17.1.0,
  • build of optaplanner 8.0,
  • build of quarkus -,
  • caddy,
  • cbl-mariner,
  • ceph storage 5.0,
  • cert-manager operator for red hat openshift -,
  • certification for red hat enterprise linux 8.0,
  • certification for red hat enterprise linux 9.0,
  • connected mobile experiences,
  • contour,
  • cost management -,
  • crosswork data gateway,
  • crosswork data gateway 5.0,
  • crosswork zero touch provisioning,
  • cryostat 2.0,
  • data center network manager -,
  • debian linux 10.0,
  • debian linux 11.0,
  • debian linux 12.0,
  • decision manager 7.0,
  • enterprise chat and email -,
  • enterprise linux 6.0,
  • enterprise linux 8.0,
  • enterprise linux 9.0,
  • envoy 1.24.10,
  • envoy 1.25.9,
  • envoy 1.26.4,
  • envoy 1.27.0,
  • expressway,
  • fedora 37,
  • fedora 38,
  • fence agents remediation operator -,
  • firepower threat defense,
  • fog director,
  • go,
  • grpc,
  • grpc 1.57.0,
  • h2o,
  • http 2.0,
  • http server,
  • http2,
  • integration camel for spring boot -,
  • integration camel k -,
  • integration service registry -,
  • ios xe,
  • ios xr,
  • iot field network director,
  • istio,
  • jboss a-mq 7,
  • jboss a-mq streams -,
  • jboss core services -,
  • jboss data grid 7.0.0,
  • jboss enterprise application platform 6.0.0,
  • jboss enterprise application platform 7.0.0,
  • jboss fuse 6.0.0,
  • jboss fuse 7.0.0,
  • jenkins,
  • jetty,
  • kong gateway,
  • linkerd,
  • linkerd 2.13.0,
  • linkerd 2.13.1,
  • linkerd 2.14.0,
  • linkerd 2.14.1,
  • logging subsystem for red hat openshift -,
  • machine deletion remediation operator -,
  • migration toolkit for applications 6.0,
  • migration toolkit for containers -,
  • migration toolkit for virtualization -,
  • netty,
  • network observability operator -,
  • networking,
  • nghttp2,
  • nginx,
  • nginx ingress controller,
  • nginx plus,
  • nginx plus r29,
  • nginx plus r30,
  • node healthcheck operator -,
  • node maintenance operator -,
  • node.js,
  • nx-os,
  • oncommand insight -,
  • openresty,
  • opensearch data prepper,
  • openshift -,
  • openshift api for data protection -,
  • openshift container platform 4.0,
  • openshift container platform assisted installer -,
  • openshift data science -,
  • openshift dev spaces -,
  • openshift developer tools and services -,
  • openshift distributed tracing -,
  • openshift gitops -,
  • openshift pipelines -,
  • openshift sandboxed containers -,
  • openshift secondary scheduler operator -,
  • openshift serverless -,
  • openshift service mesh 2.0,
  • openshift virtualization 4,
  • openstack platform 16.1,
  • openstack platform 16.2,
  • openstack platform 17.1,
  • prime access registrar,
  • prime cable provisioning,
  • prime infrastructure,
  • prime network registrar,
  • process automation 7.0,
  • proxygen,
  • quay 3.0.0,
  • run once duration override operator -,
  • satellite 6.0,
  • secure dynamic attributes connector,
  • secure malware analytics,
  • secure web appliance firmware,
  • self node remediation operator -,
  • service interconnect 1.0,
  • service telemetry framework 1.5,
  • single sign-on 7.0,
  • solr,
  • support for spring boot -,
  • swiftnio http/2,
  • telepresence video communication server,
  • tomcat,
  • tomcat 11.0.0,
  • traefik,
  • traefik 3.0.0,
  • traffic server,
  • ultra cloud core - policy control function,
  • ultra cloud core - policy control function 2024.01.0,
  • ultra cloud core - serving gateway function,
  • ultra cloud core - session management function,
  • unified attendant console advanced -,
  • unified contact center domain manager -,
  • unified contact center enterprise -,
  • unified contact center enterprise - live data server,
  • unified contact center management portal -,
  • varnish cache,
  • visual studio 2022,
  • web terminal -,
  • windows 10 1607,
  • windows 10 1809,
  • windows 10 21h2,
  • windows 10 22h2,
  • windows 11 21h2,
  • windows 11 22h2,
  • windows server 2016 -,
  • windows server 2019 -,
  • windows server 2022 -

References

Canonical
CVE-2023-44487 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487)
Advisory
DSA-5522 (https://www.debian.org/security/2023/dsa-5522)
DSA-5521 (https://www.debian.org/security/2023/dsa-5521)
[debian-lts-announce] 20231013 [SECURITY] [DLA 3617-1] tomcat9 security update (https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html)
[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations (http://www.openwall.com/lists/oss-security/2023/10/13/4)
[oss-security] 20231013 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations (http://www.openwall.com/lists/oss-security/2023/10/13/9)
FEDORA-2023-ed2642fd58 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/)
[debian-lts-announce] 20231016 [SECURITY] [DLA 3621-1] nghttp2 security update (https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html)
https://security.netapp.com/advisory/ntap-20231016-0001/
[debian-lts-announce] 20231016 [SECURITY] [DLA 3617-2] tomcat9 regression update (https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html)
[oss-security] 20231018 Vulnerability in Jenkins (http://www.openwall.com/lists/oss-security/2023/10/18/4)
[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations (http://www.openwall.com/lists/oss-security/2023/10/18/8)
[oss-security] 20231019 CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (http://www.openwall.com/lists/oss-security/2023/10/19/6)
FEDORA-2023-54fadada12 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/)
FEDORA-2023-5ff7bf1dd8 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/)
[oss-security] 20231020 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations (http://www.openwall.com/lists/oss-security/2023/10/20/8)
FEDORA-2023-17efd3f2cd (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/)
FEDORA-2023-d5030c983c (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/)
FEDORA-2023-0259c3f26f (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/)
FEDORA-2023-2a9214af5f (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/)
FEDORA-2023-e9c04d81c1 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/)
FEDORA-2023-f66fc0f62a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/)
FEDORA-2023-4d2fd884ea (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/)
FEDORA-2023-b2c50535cb (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/)
FEDORA-2023-fe53e13b5b (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/)
FEDORA-2023-4bf641255e (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/)
[debian-lts-announce] 20231030 [SECURITY] [DLA 3641-1] jetty9 security update (https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html)
DSA-5540 (https://www.debian.org/security/2023/dsa-5540)
[debian-lts-announce] 20231031 [SECURITY] [DLA 3638-1] h2o security update (https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html)
FEDORA-2023-1caffb88af (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/)
FEDORA-2023-3f70b8d406 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/)
FEDORA-2023-7b52921cae (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/)
FEDORA-2023-7934802344 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/)
FEDORA-2023-dbe64661af (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/)
FEDORA-2023-822aab0a5a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/)
[debian-lts-announce] 20231105 [SECURITY] [DLA 3645-1] trafficserver security update (https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html)
DSA-5549 (https://www.debian.org/security/2023/dsa-5549)
FEDORA-2023-c0c6a91330 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/)
FEDORA-2023-492b7be466 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/)
DSA-5558 (https://www.debian.org/security/2023/dsa-5558)
[debian-lts-announce] 20231119 [SECURITY] [DLA 3656-1] netty security update (https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html)
GLSA-202311-09 (https://security.gentoo.org/glsa/202311-09)
DSA-5570 (https://www.debian.org/security/2023/dsa-5570)
https://security.netapp.com/advisory/ntap-20240426-0007/
https://security.netapp.com/advisory/ntap-20240621-0006/
https://security.netapp.com/advisory/ntap-20240621-0007/
Exploit
PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
cve-2023-44487 (https://github.com/nxenon/cve-2023-44487) (Added by AKB Worker)
CVE-2023-44487 (https://github.com/imabee101/CVE-2023-44487) (Added by AKB Worker)
Miscellaneous
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
https://news.ycombinator.com/item?id=37831062
https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
https://github.com/envoyproxy/envoy/pull/30055
https://github.com/haproxy/haproxy/issues/2312
https://github.com/eclipse/jetty.project/issues/10679
https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764
https://github.com/nghttp2/nghttp2/pull/1961
https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
https://github.com/alibaba/tengine/issues/1872
https://github.com/hyperium/hyper/issues/3337
https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2
https://news.ycombinator.com/item?id=37830987
https://news.ycombinator.com/item?id=37830998
https://chaos.social/@icing/111210915918780532
https://github.com/caddyserver/caddy/issues/5877
https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
https://github.com/bcdannyboy/CVE-2023-44487
https://github.com/grpc/grpc-go/pull/6703
https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244
https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
https://my.f5.com/manage/s/article/K000137106
https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/
https://bugzilla.proxmox.com/show_bug.cgi?id=4988
https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9
https://github.com/microsoft/CBL-Mariner/pull/6381
https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
https://github.com/facebook/proxygen/pull/466
https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
https://github.com/micrictor/http2-rst-stream
https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve
https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/
https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf
https://github.com/h2o/h2o/pull/3291
https://github.com/nodejs/node/pull/50121
https://github.com/dotnet/announcements/issues/277
https://github.com/golang/go/issues/63417
https://github.com/advisories/GHSA-vx74-f528-fxqg
https://github.com/apache/trafficserver/pull/10564
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487
https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
https://www.openwall.com/lists/oss-security/2023/10/10/6
https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487
https://github.com/opensearch-project/data-prepper/issues/3474
https://github.com/kubernetes/kubernetes/pull/121120
https://github.com/oqtane/oqtane.framework/discussions/3367
https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
https://netty.io/news/2023/10/10/4-1-100-Final.html
https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack
https://news.ycombinator.com/item?id=37837043
https://github.com/kazu-yamamoto/http2/issues/93
https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1
https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113
https://access.redhat.com/security/cve/cve-2023-44487
https://github.com/ninenines/cowboy/issues/1615
https://github.com/varnishcache/varnish-cache/issues/3996
https://github.com/tempesta-tech/tempesta/issues/1986
https://blog.vespa.ai/cve-2023-44487/
https://github.com/etcd-io/etcd/issues/16740
https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
https://istio.io/latest/news/security/istio-security-2023-004/
https://github.com/junkurihara/rust-rpxy/issues/97
https://bugzilla.suse.com/show_bug.cgi?id=1216123
https://bugzilla.redhat.com/show_bug.cgi?id=2242803
https://ubuntu.com/security/CVE-2023-44487
https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125
https://github.com/advisories/GHSA-qppj-fm5r-hxr3
https://github.com/apache/httpd-site/pull/10
https://github.com/projectcontour/contour/pull/5826
https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632
https://github.com/line/armeria/pull/5232
https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/
https://security.paloaltonetworks.com/CVE-2023-44487
https://github.com/akka/akka-http/issues/4323
https://github.com/openresty/openresty/issues/930
https://github.com/apache/apisix/issues/10320
https://github.com/Azure/AKS/issues/3947
https://github.com/Kong/kong/discussions/11741
https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/
https://github.com/caddyserver/caddy/releases/tag/v2.7.5
https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/
https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html
https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/
https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis