CVE-2023-44487 vulnerability in Amazon and Other Products
Published on October 10, 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Github Repository
Github Repository
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
Vendor Advisory
NVD
Known Exploited Vulnerability
This HTTP/2 Rapid Reset Attack Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
The following remediation steps are recommended / required by October 31, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2023-44487 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2023-44487 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2023-44487
You can be notified by stack.watch whenever vulnerabilities like CVE-2023-44487 are published in these products:
What versions are vulnerable to CVE-2023-44487?
-
Ietf Http
Version 2.0
-
Nghttp2
Fixed in Version 1.57.0
-
Netty
Fixed in Version 4.1.100
-
Envoyproxy Envoy
Version 1.27.0
-
Envoyproxy Envoy
Version 1.26.4
-
Envoyproxy Envoy
Version 1.25.9
-
Envoyproxy Envoy
Version 1.24.10
-
Eclipse Jetty
Version 12.0.0
Fixed in Version 12.0.2
-
Eclipse Jetty
Version 11.0.0
Fixed in Version 11.0.17
-
Eclipse Jetty
Version 10.0.0
Fixed in Version 10.0.17
-
Eclipse Jetty
Fixed in Version 9.4.53
-
Caddy Server Caddy Web Server
Fixed in Version 2.7.5
-
GoLang Http2
Fixed in Version 0.17.0
go
-
GoLang Go
Version 1.21.0
Fixed in Version 1.21.3
-
GoLang Go
Fixed in Version 1.20.10
-
GoLang Networking
Fixed in Version 0.17.0
go
-
F5 Networks Big Ip Analytics Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Policy Enforcement Manager Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Local Traffic Manager Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Link Controller Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Global Traffic Manager Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Fraud Protection Service Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Domain Name System Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Application Security Manager Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Application Acceleration Manager Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Advanced Firewall Manager Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Access Policy Manager Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Advanced Web Application Firewall Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Application Visibility Reporting Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Carrier Grade Nat Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Ddos Hybrid Defender Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Ssl Orchestrator Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Webaccelerator Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Websafe Version 13.1.0 through 13.1.5
-
F5 Networks Big Ip Advanced Firewall Manager Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Analytics Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Access Policy Manager Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Application Security Manager Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Domain Name System Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Fraud Protection Service Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Global Traffic Manager Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Link Controller Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Local Traffic Manager Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Policy Enforcement Manager Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Application Acceleration Manager Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Access Policy Manager Version 17.1.0
-
F5 Networks Big Ip Advanced Firewall Manager Version 17.1.0
-
F5 Networks Big Ip Advanced Web Application Firewall Version 17.1.0
-
F5 Networks Big Ip Analytics Version 17.1.0
-
F5 Networks Big Ip Application Acceleration Manager Version 17.1.0
-
F5 Networks Big Ip Application Security Manager Version 17.1.0
-
F5 Networks Big Ip Application Visibility Reporting Version 17.1.0
-
F5 Networks Big Ip Carrier Grade Nat Version 17.1.0
-
F5 Networks Big Ip Ddos Hybrid Defender Version 17.1.0
-
F5 Networks Big Ip Domain Name System Version 17.1.0
-
F5 Networks Big Ip Fraud Protection Service Version 17.1.0
-
F5 Networks Big Ip Global Traffic Manager Version 17.1.0
-
F5 Networks Big Ip Link Controller Version 17.1.0
-
F5 Networks Big Ip Local Traffic Manager Version 17.1.0
-
F5 Networks Big Ip Policy Enforcement Manager Version 17.1.0
-
F5 Networks Big Ip Ssl Orchestrator Version 17.1.0
-
F5 Networks Big Ip Webaccelerator Version 17.1.0
-
F5 Networks Big Ip Websafe Version 17.1.0
-
F5 Networks Big Ip Advanced Web Application Firewall Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Application Visibility Reporting Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Carrier Grade Nat Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Ddos Hybrid Defender Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Ssl Orchestrator Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Webaccelerator Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Websafe Version 14.1.0 through 14.1.5
-
F5 Networks Big Ip Access Policy Manager Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Access Policy Manager Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Advanced Firewall Manager Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Advanced Firewall Manager Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Advanced Web Application Firewall Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Advanced Web Application Firewall Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Analytics Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Analytics Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Application Acceleration Manager Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Application Acceleration Manager Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Application Security Manager Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Application Security Manager Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Application Visibility Reporting Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Application Visibility Reporting Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Carrier Grade Nat Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Carrier Grade Nat Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Ddos Hybrid Defender Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Ddos Hybrid Defender Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Domain Name System Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Domain Name System Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Fraud Protection Service Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Fraud Protection Service Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Global Traffic Manager Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Global Traffic Manager Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Link Controller Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Link Controller Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Local Traffic Manager Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Local Traffic Manager Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Policy Enforcement Manager Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Policy Enforcement Manager Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Ssl Orchestrator Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Ssl Orchestrator Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Webaccelerator Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Webaccelerator Version 16.1.0 through 16.1.4
-
F5 Networks Big Ip Websafe Version 15.1.0 through 15.1.10
-
F5 Networks Big Ip Websafe Version 16.1.0 through 16.1.4
-
F5 Networks Nginx Plus Version r30 -
-
F5 Networks Nginx Plus Version r25 Fixed in Version r29
-
F5 Networks Nginx Plus Version r29 -
-
F5 Networks Big Ip Next Version 20.0.1
-
F5 Networks Big Ip Next Service Proxy Kubernetes Version 1.5.0 through 1.8.2
-
F5 Networks Nginx Version 1.9.5 through 1.25.2
-
F5 Networks Nginx Ingress Controller Version 2.0.0 through 2.4.2
-
F5 Networks Nginx Ingress Controller Version 3.0.0 through 3.3.0
-
Apache Tomcat
Version 11.0.0
milestone1
-
Apache Tomcat
Version 11.0.0
milestone2
-
Apache Tomcat
Version 11.0.0
milestone4
-
Apache Tomcat
Version 11.0.0
milestone3
-
Apache Tomcat
Version 11.0.0
milestone5
-
Apache Tomcat
Version 11.0.0
milestone7
-
Apache Tomcat
Version 11.0.0
milestone8
-
Apache Tomcat
Version 11.0.0
milestone9
-
Apache Tomcat
Version 11.0.0
milestone10
-
Apache Tomcat
Version 11.0.0
milestone6
-
Apache Tomcat
Version 11.0.0
milestone11
-
Apache Tomcat
Version 9.0.0
through 9.0.80
-
Apache Tomcat
Version 8.5.0
through 8.5.93
-
Apache Tomcat
Version 10.1.0
through 10.1.13
-
Apple Swiftnio Http2
Fixed in Version 1.28.0
swift
-
Grpc
Version 1.57.0
-
go
-
Grpc
Version 1.58.0
Fixed in Version 1.58.3
go
-
Grpc
Fixed in Version 1.56.3
go
-
Grpc
Up to Version 1.59.2
-
-
Microsoft Windows Server 2016
Version -
-
Microsoft Windows Server 2019
Version -
-
Microsoft Windows Server 2022
Version -
-
Microsoft Windows 10 22h2
Fixed in Version 10.0.19045.3570
-
Microsoft Windows 10 1809
Fixed in Version 10.0.17763.4974
-
Microsoft Windows 11 21h2
Fixed in Version 10.0.22000.2538
-
Microsoft Windows 11 22h2
Fixed in Version 10.0.22621.2428
-
Microsoft Windows 10 1607
Fixed in Version 10.0.14393.6351
x86
-
Microsoft Windows 10 1607
Fixed in Version 10.0.14393.6351
x64
-
Microsoft Net
Version 7.0.0
Fixed in Version 7.0.12
-
Microsoft Windows 10 21h2
Fixed in Version 10.0.19044.3570
-
Microsoft Visual Studio 2022
Version 17.7
Fixed in Version 17.7.5
-
Microsoft Visual Studio 2022
Version 17.6
Fixed in Version 17.6.8
-
Microsoft Visual Studio 2022
Version 17.4
Fixed in Version 17.4.12
-
Microsoft Visual Studio 2022
Version 17.0
Fixed in Version 17.2.20
-
Microsoft ASP.NET Core
Version 6.0.0
Fixed in Version 6.0.23
-
Microsoft ASP.NET Core
Version 7.0.0
Fixed in Version 7.0.12
-
Microsoft Net
Version 6.0.0
Fixed in Version 6.0.23
-
Microsoft Azure Kubernetes Service
Fixed in Version 2023-10-08
-
nodejs node.js
Version 18.0.0
Fixed in Version 18.18.2
-
nodejs node.js
Version 20.0.0
Fixed in Version 20.8.1
-
Microsoft Cbl Mariner
Fixed in Version 2023-10-11
-
Dena H2o
Fixed in Version 2023-10-10
-
Facebook Proxygen
Fixed in Version 2023.10.16.00
-
Apache Traffic Server
Version 9.0.0
Fixed in Version 9.2.3
-
Apache Traffic Server
Version 8.0.0
Fixed in Version 8.1.9
-
Apache Apisix
Fixed in Version 3.6.1
-
Amazon Opensearch Data Prepper
Fixed in Version 2.5.0
-
Debian Linux
Version 10.0
-
Debian Linux
Version 11.0
-
Debian Linux
Version 12.0
-
Kazu Yamamoto Http2
Fixed in Version 4.2.2
-
Istio
Version 1.19.0
Fixed in Version 1.19.1
-
Istio
Version 1.18.0
Fixed in Version 1.18.3
-
Istio
Fixed in Version 1.17.6
-
Varnishcacheproject Varnish Cache
Fixed in Version 2023-10-10
-
Traefik
Version 3.0.0
beta3
-
Traefik
Version 3.0.0
beta2
-
Traefik
Version 3.0.0
beta1
-
Traefik
Fixed in Version 2.10.5
-
Projectcontour Contour
Fixed in Version 2023-10-11
kubernetes
-
Linkerd
Version 2.13.0
kubernetes
-
Linkerd
Version 2.13.1
kubernetes
-
Linkerd
Version 2.14.0
kubernetes
-
Linkerd
Version 2.14.1
kubernetes
-
Linkerd
Version 2.12.0
through 2.12.5
kubernetes
-
Linecorp Armeria
Fixed in Version 1.26.0
-
Red Hat Enterprise Linux (RHEL)
Version 6.0
-
Red Hat Jboss Enterprise Application Platform
Version 6.0.0
-
Red Hat Jboss Fuse
Version 6.0.0
-
Red Hat Satellite
Version 6.0
-
Red Hat Jboss Enterprise Application Platform
Version 7.0.0
-
Red Hat Decision Manager
Version 7.0
-
Red Hat Jboss Core Services
Version -
-
Red Hat Enterprise Linux (RHEL)
Version 8.0
-
Red Hat Single Sign On
Version 7.0
-
Red Hat Jboss Fuse
Version 7.0.0
-
Red Hat Process Automation
Version 7.0
-
Red Hat Jboss Data Grid
Version 7.0.0
-
Red Hat Quay
Version 3.0.0
-
Red Hat Openshift Container Platform
Version 4.0
-
Red Hat Openstack Platform
Version 16.1
-
Red Hat Advanced Cluster Management Kubernetes
Version 2.0
-
Red Hat Build Of Quarkus
Version -
-
Red Hat Integration Service Registry
Version -
-
Red Hat Integration Camel K
Version -
-
Red Hat Openshift Service Mesh
Version 2.0
-
Red Hat Jboss A Mq
Version 7
-
Red Hat 3scale Api Management Platform
Version 2.0
-
Red Hat Ceph Storage
Version 5.0
-
Red Hat Openstack Platform
Version 16.2
-
Red Hat Enterprise Linux (RHEL)
Version 9.0
-
Red Hat Ansible Automation Platform
Version 2.0
-
Red Hat Integration Camel Spring Boot
Version -
-
Red Hat Migration Toolkit Applications
Version 6.0
-
Red Hat Openshift Developer Tools Services
Version -
-
Red Hat Openshift Api Data Protection
Version -
-
Red Hat Openshift Serverless
Version -
-
Red Hat Build Of Optaplanner
Version 8.0
-
Red Hat Openshift Data Science
Version -
-
Red Hat Advanced Cluster Security
Version 4.0
-
Red Hat Advanced Cluster Security
Version 3.0
-
Cert Manager Operator Red Hat Openshift
Version -
-
Red Hat Openshift Dev Spaces
Version -
-
Red Hat Cost Management
Version -
-
Red Hat Migration Toolkit Virtualization
Version -
-
Red Hat Jboss A Mq Streams
Version -
-
Red Hat Cryostat
Version 2.0
-
Red Hat Network Observability Operator
Version -
-
Red Hat Node Healthcheck Operator
Version -
-
Red Hat Openshift Gitops
Version -
-
Red Hat Openshift Virtualization
Version 4
-
Logging Subsystem Red Hat Openshift
Version -
-
Red Hat Openshift Pipelines
Version -
-
Red Hat Openshift Sandboxed Containers
Version -
-
Red Hat Openshift Secondary Scheduler Operator
Version -
-
Red Hat Openshift Container Platform Assisted Installer
Version -
-
Certification Red Hat Enterprise Linux
Version 9.0
-
Certification Red Hat Enterprise Linux
Version 8.0
-
Red Hat Migration Toolkit Containers
Version -
-
Red Hat Openstack Platform
Version 17.1
-
Red Hat Openshift
Version -
aws
-
Red Hat Run Once Duration Override Operator
Version -
-
Red Hat Service Interconnect
Version 1.0
-
Red Hat Openshift Distributed Tracing
Version -
-
Red Hat Support For Spring Boot
Version -
-
Red Hat Web Terminal
Version -
-
Red Hat Node Maintenance Operator
Version -
-
Red Hat Machine Deletion Remediation Operator
Version -
-
Red Hat Fence Agents Remediation Operator
Version -
-
Red Hat Self Node Remediation Operator
Version -
Each of the following must match for the vulnerability to exist.
-
Fedora Project Fedora
Version 37
-
Fedora Project Fedora
Version 38
-
NetApp Astra Control Center
Version -
-
Akka Http Server
Fixed in Version 10.5.3
-
Konghq Kong Gateway
Fixed in Version 3.4.2
-
Jenkins
Up to Version 2.427
-
Jenkins
Up to Version 2.414.2
-
Apache Solr
Fixed in Version 9.4.0
-
Openresty
Fixed in Version 1.21.4.3
-
Cisco Unified Contact Center Enterprise
Version -
-
Cisco Prime Infrastructure
Fixed in Version 3.10.4
-
Cisco Secure Malware Analytics
Fixed in Version 2.19.2
-
Cisco Secure Dynamic Attributes Connector
Fixed in Version 2.2.0
-
Cisco Firepower Threat Defense
Fixed in Version 7.4.2
-
Cisco Fog Director
Fixed in Version 1.22
-
Cisco IOS XE
Fixed in Version 17.15.1
-
Cisco Prime Network Registrar
Fixed in Version 11.2
-
Cisco Prime Cable Provisioning
Fixed in Version 7.2.1
-
Cisco Prime Access Registrar
Fixed in Version 9.3.3
-
Cisco Data Center Network Manager
Version -
-
Cisco Iot Field Network Director
Fixed in Version 4.11.0
-
Cisco Ios Xr
Fixed in Version 7.11.2
-
Cisco Crosswork Zero Touch Provisioning
Fixed in Version 6.0.0
-
Cisco Crosswork Data Gateway
Version 5.0
-
Cisco Crosswork Data Gateway
Fixed in Version 4.1.3
-
Cisco Expressway
Fixed in Version x14.3.3
-
Cisco Connected Mobile Experiences
Fixed in Version 11.1
-
Cisco Telepresence Video Communication Server
Fixed in Version x14.3.3
-
Cisco Unified Contact Center Domain Manager
Version -
-
Cisco Unified Contact Center Enterprise Live Data Server
Fixed in Version 12.6.2
-
Cisco Unified Contact Center Management Portal
Version -
-
Cisco Unified Attendant Console Advanced
Version -
-
Cisco Enterprise Chat And Email
Version -
-
Cisco Ultra Cloud Core Session Management Function
Fixed in Version 2024.02.0
-
Cisco Ultra Cloud Core Serving Gateway Function
Fixed in Version 2024.02.0
-
Cisco Ultra Cloud Core Policy Control Function
Fixed in Version 2024.01.0
-
Cisco Ultra Cloud Core Policy Control Function
Version 2024.01.0
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Vulnerable Packages
The following package name and versions may be associated with CVE-2023-44487
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | io.netty:netty-codec-http2 | < 4.1.100.Final | 4.1.100.Final |