CVE-2023-44487

Updated: 2024-08-14 22:24:35.744941

Description:

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x HIGH 7.5

Known exploits

Added Date Description Due Date Notes
2023-10-10 HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS). 2023-10-31 This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Status

OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU httpd 2.4.53 7.5 HIGH Not Vulnerable 2024-06-20 05:58:18
CentOS 6 ELS httpd 2.2.15 7.5 HIGH Not Vulnerable 2023-10-17 09:28:55
CentOS 6 ELS tomcat6 6.0.24 7.5 HIGH Ignored 2023-10-19 09:29:03
CentOS 6 ELS nginx 1.10.3 7.5 HIGH Released CLSA-2023:1698101447 2023-11-06 04:09:29
CentOS 6 ELS haproxy 1.5.18 7.5 HIGH Ignored 2023-10-19 09:29:07
CentOS 7 ELS tomcat 7.0.76 7.5 HIGH Not Vulnerable 2024-04-11 10:04:00
CentOS 7 ELS nginx 1.20.1 7.5 HIGH Released CLSA-2024:1715280815 2024-05-29 10:11:38
CentOS 7 ELS httpd 2.4.6 7.5 HIGH Not Vulnerable 2023-10-27 09:33:23
CentOS 8.4 ELS nginx 1.14.1-9 7.5 HIGH Released CLSA-2023:1698690146 2023-10-30 17:09:13
CentOS 8.4 ELS haproxy 1.8.27-2 7.5 HIGH Already Fixed 2024-05-22 17:29:19
Total: 36

Statement

nginx developers disagree with the vulnerability status. The problem with HTTP/2 is inherent and it's limited with the sane default values of "http2_max_concurrent_streams" (max number of concurrent streams, 128 by default) and "keepalive_requests" (max number of requests per connection, 100 by default in nginx 1.14.1 from CentOS Stream 8 but 1000 in 1.19.10 and above).