HTTP/2 DoS via Stream Reset in nginx
CVE-2023-44487 Published on October 10, 2023

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Github Repository Github Repository Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Known Exploited Vulnerability

This HTTP/2 Rapid Reset Attack Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).

The following remediation steps are recommended / required by October 31, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2023-44487 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2023-44487 has been classified to as a Resource Exhaustion vulnerability or weakness.


Products Associated with CVE-2023-44487

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-44487 are published in these products:

Amazon Aws
 
Ietf Http
 
Nghttp2
 
Netty
 
Envoyproxy Envoy
 
Eclipse Jetty
 
Caddy Server Caddy Web Server
 
GoLang Http2
 
GoLang Go
 
GoLang Networking
 
F5 Networks Big Ip Analytics
 
F5 Networks Big Ip Policy Enforcement Manager
 
F5 Networks Big Ip Local Traffic Manager
 
F5 Networks Big Ip Link Controller
 
F5 Networks Big Ip Global Traffic Manager
 
F5 Networks Big Ip Fraud Protection Service
 
F5 Networks Big Ip Domain Name System
 
F5 Networks Big Ip Application Security Manager
 
F5 Networks Big Ip Application Acceleration Manager
 
F5 Networks Big Ip Advanced Firewall Manager
 
F5 Networks Big Ip Access Policy Manager
 
F5 Networks Big Ip Advanced Web Application Firewall
 
F5 Networks Big Ip Application Visibility Reporting
 
F5 Networks Big Ip Carrier Grade Nat
 
F5 Networks Big Ip Ddos Hybrid Defender
 
F5 Networks Big Ip Ssl Orchestrator
 
F5 Networks Big Ip Webaccelerator
 
F5 Networks Big Ip Websafe
 
F5 Networks Nginx Plus
 
F5 Networks Big Ip Next
 
F5 Networks Big Ip Next Service Proxy Kubernetes
 
F5 Networks Nginx
 
F5 Networks Nginx Ingress Controller
 
Apache Tomcat
 
Apple Swift
 
Grpc
 
Microsoft Windows Server 2016
 
Microsoft Windows Server 2019
 
Microsoft Windows Server 2022
 
Microsoft Windows 10
 
Microsoft Windows 11
 
Microsoft Net
 
Microsoft Visual Studio 2022
 
Microsoft ASP.NET Core
 
nodejs node.js
 
Microsoft Cbl Mariner
 
Dena H2o
 
Facebook Proxygen
 
Apache Traffic Server
 
Amazon Opensearch Data Prepper
 
Microsoft Azure Kubernetes Service
 
Apache Apisix
 
Debian Linux
 
Kazu Yamamoto Http2
 
Istio
 
Varnishcacheproject Varnish Cache
 
Traefik
 
Projectcontour Contour
 
Linkerd
 
Linecorp Armeria
 
Red Hat Enterprise Linux (RHEL)
 
Red Hat Jboss Enterprise Application Platform
 
Red Hat Jboss Fuse
 
Red Hat Satellite
 
Red Hat Decision Manager
 
Red Hat Jboss Core Services
 
Red Hat Single Sign On
 
Red Hat Process Automation
 
Red Hat Jboss Data Grid
 
Red Hat Quay
 
Red Hat Openshift Container Platform
 
Red Hat Openstack Platform
 
Red Hat Advanced Cluster Management Kubernetes
 
Red Hat Build Of Quarkus
 
Red Hat Integration Service Registry
 
Red Hat Integration Camel K
 
Red Hat Openshift Service Mesh
 
Red Hat Jboss A Mq
 
Red Hat 3scale Api Management Platform
 
Red Hat Ceph Storage
 
Red Hat Ansible Automation Platform
 
Red Hat Integration Camel Spring Boot
 
Red Hat Migration Toolkit Applications
 
Red Hat Openshift Developer Tools Services
 
Red Hat Openshift Api Data Protection
 
Red Hat Openshift Serverless
 
Red Hat Build Of Optaplanner
 
Red Hat Openshift Data Science
 
Red Hat Advanced Cluster Security
 
Cert Manager Operator Red Hat Openshift
 
Red Hat Openshift Dev Spaces
 
Red Hat Cost Management
 
Red Hat Migration Toolkit Virtualization
 
Red Hat Jboss A Mq Streams
 
Red Hat Cryostat
 
Red Hat Network Observability Operator
 
Red Hat Node Healthcheck Operator
 
Red Hat Openshift Gitops
 
Red Hat Openshift Virtualization
 
Logging Subsystem Red Hat Openshift
 
Red Hat Openshift Pipelines
 
Red Hat Openshift Sandboxed Containers
 
Red Hat Openshift Secondary Scheduler Operator
 
Red Hat Openshift Container Platform Assisted Installer
 
Certification Red Hat Enterprise Linux
 
Red Hat Migration Toolkit Containers
 
Red Hat Openshift
 
Red Hat Run Once Duration Override Operator
 
Red Hat Service Interconnect
 
Red Hat Openshift Distributed Tracing
 
Red Hat Support For Spring Boot
 
Red Hat Web Terminal
 
Red Hat Node Maintenance Operator
 
Red Hat Machine Deletion Remediation Operator
 
Red Hat Fence Agents Remediation Operator
 
Red Hat Self Node Remediation Operator
 
Fedora Project Fedora
 
NetApp Astra Control Center
 
Akka Http Server
 
Konghq Kong Gateway
 
Canonical Ubuntu Linux
 
Jenkins
 
Apache Solr
 
Openresty
 
Cisco Unified Contact Center Enterprise
 
Cisco Prime Infrastructure
 
Cisco Secure Malware Analytics
 
Cisco Secure Dynamic Attributes Connector
 
Cisco Firepower Threat Defense
 
Cisco Fog Director
 
Cisco IOS XE
 
Cisco Prime Network Registrar
 
Cisco Prime Cable Provisioning
 
Cisco Prime Access Registrar
 
Cisco Data Center Network Manager
 
Cisco Iot Field Network Director
 
Cisco Ios Xr
 
Cisco Crosswork Zero Touch Provisioning
 
Cisco Crosswork Data Gateway
 
Cisco Expressway
 
Cisco Connected Mobile Experiences
 
Cisco Telepresence Video Communication Server
 
Cisco Unified Contact Center Domain Manager
 
Cisco Unified Contact Center Enterprise Live Data Server
 
Cisco Unified Contact Center Management Portal
 
Cisco Unified Attendant Console Advanced
 
Cisco Enterprise Chat And Email
 
Cisco Ultra Cloud Core Session Management Function
 
Cisco Ultra Cloud Core Serving Gateway Function
 
Cisco Ultra Cloud Core Policy Control Function
 
NetApp Oncommand Insight
 
Apache HTTP Server
 
Oracle
 
Cisco Business Process Automation
 
Cisco Crosswork Situation Manager
 
nginx
 

Vulnerable Packages

The following package name and versions may be associated with CVE-2023-44487

Package Manager Vulnerable Package Versions Fixed In
maven io.netty:netty-codec-http2 < 4.1.100.Final 4.1.100.Final
maven io.netty:netty-codec-http2 >= 4.2.0.Alpha1, <= 4.2.3.Final 4.2.4.Final
maven io.netty:netty-codec-http2 <= 4.1.123.Final 4.1.124.Final
maven org.eclipse.jetty.http2:http2-common >= 9.3.0, <= 9.4.57 9.4.58
maven org.eclipse.jetty.http2:http2-common >= 10.0.0, <= 10.0.25 10.0.26
maven org.eclipse.jetty.http2:http2-common >= 11.0.0, <= 11.0.25 11.0.26
maven org.eclipse.jetty.http2:jetty-http2-common >= 12.0.0, <= 12.0.24 12.0.25
maven org.eclipse.jetty.http2:jetty-http2-common >= 12.1.0.alpha0, <= 12.1.0.beta2 12.1.0.beta3

Exploit Probability

EPSS
94.49%
Percentile
100.00%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.