CVE-2023-44487 vulnerability in Amazon and Other Products
Published on October 10, 2023
Known Exploited Vulnerability
This HTTP/2 Rapid Reset Attack Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
The following remediation steps are recommended / required by October 31, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2023-44487 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2023-44487 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2023-44487
You can be notified by stack.watch whenever vulnerabilities like CVE-2023-44487 are published in these products:
What versions are vulnerable to CVE-2023-44487?
- Ietf Http Version 2.0
- Nghttp2 Fixed in Version 1.57.0
- Netty Fixed in Version 4.1.100
- Envoyproxy Envoy Version 1.27.0
- Envoyproxy Envoy Version 1.26.4
- Envoyproxy Envoy Version 1.25.9
- Envoyproxy Envoy Version 1.24.10
- Eclipse Jetty Version 12.0.0 Fixed in Version 12.0.2
- Eclipse Jetty Version 11.0.0 Fixed in Version 11.0.17
- Eclipse Jetty Version 10.0.0 Fixed in Version 10.0.17
- Eclipse Jetty Fixed in Version 9.4.53
- Caddy Server Caddy Web Server Fixed in Version 2.7.5
- GoLang Http2 Fixed in Version 0.17.0 go
- GoLang Go Version 1.21.0 Fixed in Version 1.21.3
- GoLang Go Fixed in Version 1.20.10
- GoLang Networking Fixed in Version 0.17.0 go
- F5 Networks Big Ip Analytics Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Policy Enforcement Manager Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Local Traffic Manager Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Link Controller Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Global Traffic Manager Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Fraud Protection Service Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Domain Name System Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Application Security Manager Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Application Acceleration Manager Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Advanced Firewall Manager Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Access Policy Manager Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Advanced Web Application Firewall Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Application Visibility Reporting Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Carrier Grade Nat Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Ddos Hybrid Defender Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Ssl Orchestrator Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Webaccelerator Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Websafe Version 13.1.0 through 13.1.5
- F5 Networks Big Ip Advanced Firewall Manager Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Analytics Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Access Policy Manager Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Application Security Manager Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Domain Name System Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Fraud Protection Service Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Global Traffic Manager Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Link Controller Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Local Traffic Manager Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Policy Enforcement Manager Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Application Acceleration Manager Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Access Policy Manager Version 17.1.0
- F5 Networks Big Ip Advanced Firewall Manager Version 17.1.0
- F5 Networks Big Ip Advanced Web Application Firewall Version 17.1.0
- F5 Networks Big Ip Analytics Version 17.1.0
- F5 Networks Big Ip Application Acceleration Manager Version 17.1.0
- F5 Networks Big Ip Application Security Manager Version 17.1.0
- F5 Networks Big Ip Application Visibility Reporting Version 17.1.0
- F5 Networks Big Ip Carrier Grade Nat Version 17.1.0
- F5 Networks Big Ip Ddos Hybrid Defender Version 17.1.0
- F5 Networks Big Ip Domain Name System Version 17.1.0
- F5 Networks Big Ip Fraud Protection Service Version 17.1.0
- F5 Networks Big Ip Global Traffic Manager Version 17.1.0
- F5 Networks Big Ip Link Controller Version 17.1.0
- F5 Networks Big Ip Local Traffic Manager Version 17.1.0
- F5 Networks Big Ip Policy Enforcement Manager Version 17.1.0
- F5 Networks Big Ip Ssl Orchestrator Version 17.1.0
- F5 Networks Big Ip Webaccelerator Version 17.1.0
- F5 Networks Big Ip Websafe Version 17.1.0
- F5 Networks Big Ip Advanced Web Application Firewall Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Application Visibility Reporting Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Carrier Grade Nat Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Ddos Hybrid Defender Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Ssl Orchestrator Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Webaccelerator Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Websafe Version 14.1.0 through 14.1.5
- F5 Networks Big Ip Access Policy Manager Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Access Policy Manager Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Advanced Firewall Manager Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Advanced Firewall Manager Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Advanced Web Application Firewall Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Advanced Web Application Firewall Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Analytics Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Analytics Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Application Acceleration Manager Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Application Acceleration Manager Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Application Security Manager Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Application Security Manager Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Application Visibility Reporting Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Application Visibility Reporting Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Carrier Grade Nat Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Carrier Grade Nat Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Ddos Hybrid Defender Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Ddos Hybrid Defender Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Domain Name System Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Domain Name System Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Fraud Protection Service Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Fraud Protection Service Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Global Traffic Manager Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Global Traffic Manager Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Link Controller Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Link Controller Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Local Traffic Manager Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Local Traffic Manager Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Policy Enforcement Manager Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Policy Enforcement Manager Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Ssl Orchestrator Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Ssl Orchestrator Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Webaccelerator Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Webaccelerator Version 16.1.0 through 16.1.4
- F5 Networks Big Ip Websafe Version 15.1.0 through 15.1.10
- F5 Networks Big Ip Websafe Version 16.1.0 through 16.1.4
- F5 Networks Nginx Plus Version r30 -
- F5 Networks Nginx Plus Version r25 Fixed in Version r29
- F5 Networks Nginx Plus Version r29 -
- F5 Networks Big Ip Next Version 20.0.1
- F5 Networks Big Ip Next Service Proxy Kubernetes Version 1.5.0 through 1.8.2
- F5 Networks Nginx Version 1.9.5 through 1.25.2
- F5 Networks Nginx Ingress Controller Version 2.0.0 through 2.4.2
- F5 Networks Nginx Ingress Controller Version 3.0.0 through 3.3.0
- Apache Tomcat Version 11.0.0 milestone1
- Apache Tomcat Version 11.0.0 milestone2
- Apache Tomcat Version 11.0.0 milestone4
- Apache Tomcat Version 11.0.0 milestone3
- Apache Tomcat Version 11.0.0 milestone5
- Apache Tomcat Version 11.0.0 milestone7
- Apache Tomcat Version 11.0.0 milestone8
- Apache Tomcat Version 11.0.0 milestone9
- Apache Tomcat Version 11.0.0 milestone10
- Apache Tomcat Version 11.0.0 milestone6
- Apache Tomcat Version 11.0.0 milestone11
- Apache Tomcat Version 9.0.0 through 9.0.80
- Apache Tomcat Version 8.5.0 through 8.5.93
- Apache Tomcat Version 10.1.0 through 10.1.13
- Apple Swiftnio Http2 Fixed in Version 1.28.0 swift
- Grpc Version 1.57.0 - go
- Grpc Version 1.58.0 Fixed in Version 1.58.3 go
- Grpc Fixed in Version 1.56.3 go
- Grpc Up to Version 1.59.2 -
- Microsoft Windows Server 2016 Version -
- Microsoft Windows Server 2019 Version -
- Microsoft Windows Server 2022 Version -
- Microsoft Windows 10 22h2 Fixed in Version 10.0.19045.3570
- Microsoft Windows 10 1809 Fixed in Version 10.0.17763.4974
- Microsoft Windows 11 21h2 Fixed in Version 10.0.22000.2538
- Microsoft Windows 11 22h2 Fixed in Version 10.0.22621.2428
- Microsoft Windows 10 1607 Fixed in Version 10.0.14393.6351 x86
- Microsoft Windows 10 1607 Fixed in Version 10.0.14393.6351 x64
- Microsoft Net Version 7.0.0 Fixed in Version 7.0.12
- Microsoft Windows 10 21h2 Fixed in Version 10.0.19044.3570
- Microsoft Visual Studio 2022 Version 17.7 Fixed in Version 17.7.5
- Microsoft Visual Studio 2022 Version 17.6 Fixed in Version 17.6.8
- Microsoft Visual Studio 2022 Version 17.4 Fixed in Version 17.4.12
- Microsoft Visual Studio 2022 Version 17.0 Fixed in Version 17.2.20
- Microsoft ASP.NET Core Version 6.0.0 Fixed in Version 6.0.23
- Microsoft ASP.NET Core Version 7.0.0 Fixed in Version 7.0.12
- Microsoft Net Version 6.0.0 Fixed in Version 6.0.23
- Microsoft Azure Kubernetes Service Fixed in Version 2023-10-08
- nodejs node.js Version 18.0.0 Fixed in Version 18.18.2
- nodejs node.js Version 20.0.0 Fixed in Version 20.8.1
- Microsoft Cbl Mariner Fixed in Version 2023-10-11
- Dena H2o Fixed in Version 2023-10-10
- Facebook Proxygen Fixed in Version 2023.10.16.00
- Apache Traffic Server Version 9.0.0 Fixed in Version 9.2.3
- Apache Traffic Server Version 8.0.0 Fixed in Version 8.1.9
- Apache Apisix Fixed in Version 3.6.1
- Amazon Opensearch Data Prepper Fixed in Version 2.5.0
- Debian Linux Version 10.0
- Debian Linux Version 11.0
- Debian Linux Version 12.0
- Kazu Yamamoto Http2 Fixed in Version 4.2.2
- Istio Version 1.19.0 Fixed in Version 1.19.1
- Istio Version 1.18.0 Fixed in Version 1.18.3
- Istio Fixed in Version 1.17.6
- Varnishcacheproject Varnish Cache Fixed in Version 2023-10-10
- Traefik Version 3.0.0 beta3
- Traefik Version 3.0.0 beta2
- Traefik Version 3.0.0 beta1
- Traefik Fixed in Version 2.10.5
- Projectcontour Contour Fixed in Version 2023-10-11 kubernetes
- Linkerd Version 2.13.0 kubernetes
- Linkerd Version 2.13.1 kubernetes
- Linkerd Version 2.14.0 kubernetes
- Linkerd Version 2.14.1 kubernetes
- Linkerd Version 2.12.0 through 2.12.5 kubernetes
- Linecorp Armeria Fixed in Version 1.26.0
- Red Hat Enterprise Linux (RHEL) Version 6.0
- Red Hat Jboss Enterprise Application Platform Version 6.0.0
- Red Hat Jboss Fuse Version 6.0.0
- Red Hat Satellite Version 6.0
- Red Hat Jboss Enterprise Application Platform Version 7.0.0
- Red Hat Decision Manager Version 7.0
- Red Hat Jboss Core Services Version -
- Red Hat Enterprise Linux (RHEL) Version 8.0
- Red Hat Single Sign On Version 7.0
- Red Hat Jboss Fuse Version 7.0.0
- Red Hat Process Automation Version 7.0
- Red Hat Jboss Data Grid Version 7.0.0
- Red Hat Quay Version 3.0.0
- Red Hat Openshift Container Platform Version 4.0
- Red Hat Openstack Platform Version 16.1
- Red Hat Advanced Cluster Management Kubernetes Version 2.0
- Red Hat Build Of Quarkus Version -
- Red Hat Integration Service Registry Version -
- Red Hat Integration Camel K Version -
- Red Hat Openshift Service Mesh Version 2.0
- Red Hat Jboss A Mq Version 7
- Red Hat 3scale Api Management Platform Version 2.0
- Red Hat Ceph Storage Version 5.0
- Red Hat Openstack Platform Version 16.2
- Red Hat Enterprise Linux (RHEL) Version 9.0
- Red Hat Ansible Automation Platform Version 2.0
- Red Hat Integration Camel Spring Boot Version -
- Red Hat Migration Toolkit Applications Version 6.0
- Red Hat Openshift Developer Tools Services Version -
- Red Hat Openshift Api Data Protection Version -
- Red Hat Openshift Serverless Version -
- Red Hat Build Of Optaplanner Version 8.0
- Red Hat Openshift Data Science Version -
- Red Hat Advanced Cluster Security Version 4.0
- Red Hat Advanced Cluster Security Version 3.0
- Cert Manager Operator Red Hat Openshift Version -
- Red Hat Openshift Dev Spaces Version -
- Red Hat Cost Management Version -
- Red Hat Migration Toolkit Virtualization Version -
- Red Hat Jboss A Mq Streams Version -
- Red Hat Cryostat Version 2.0
- Red Hat Network Observability Operator Version -
- Red Hat Node Healthcheck Operator Version -
- Red Hat Openshift Gitops Version -
- Red Hat Openshift Virtualization Version 4
- Logging Subsystem Red Hat Openshift Version -
- Red Hat Openshift Pipelines Version -
- Red Hat Openshift Sandboxed Containers Version -
- Red Hat Openshift Secondary Scheduler Operator Version -
- Red Hat Openshift Container Platform Assisted Installer Version -
- Certification Red Hat Enterprise Linux Version 9.0
- Certification Red Hat Enterprise Linux Version 8.0
- Red Hat Migration Toolkit Containers Version -
- Red Hat Openstack Platform Version 17.1
- Red Hat Openshift Version - aws
- Red Hat Run Once Duration Override Operator Version -
- Red Hat Service Interconnect Version 1.0
- Red Hat Openshift Distributed Tracing Version -
- Red Hat Support For Spring Boot Version -
- Red Hat Web Terminal Version -
- Red Hat Node Maintenance Operator Version -
- Red Hat Machine Deletion Remediation Operator Version -
- Red Hat Fence Agents Remediation Operator Version -
- Red Hat Self Node Remediation Operator Version -
Each of the following must match for the vulnerability to exist.
- Fedora Project Fedora Version 37
- Fedora Project Fedora Version 38
- NetApp Astra Control Center Version -
- Akka Http Server Fixed in Version 10.5.3
- Konghq Kong Gateway Fixed in Version 3.4.2
- Jenkins Up to Version 2.427
- Jenkins Up to Version 2.414.2
- Apache Solr Fixed in Version 9.4.0
- Openresty Fixed in Version 1.21.4.3
- Cisco Unified Contact Center Enterprise Version -
- Cisco Prime Infrastructure Fixed in Version 3.10.4
- Cisco Secure Malware Analytics Fixed in Version 2.19.2
- Cisco Secure Dynamic Attributes Connector Fixed in Version 2.2.0
- Cisco Firepower Threat Defense Fixed in Version 7.4.2
- Cisco Fog Director Fixed in Version 1.22
- Cisco IOS XE Fixed in Version 17.15.1
- Cisco Prime Network Registrar Fixed in Version 11.2
- Cisco Prime Cable Provisioning Fixed in Version 7.2.1
- Cisco Prime Access Registrar Fixed in Version 9.3.3
- Cisco Data Center Network Manager Version -
- Cisco Iot Field Network Director Fixed in Version 4.11.0
- Cisco Ios Xr Fixed in Version 7.11.2
- Cisco Crosswork Zero Touch Provisioning Fixed in Version 6.0.0
- Cisco Crosswork Data Gateway Version 5.0
- Cisco Crosswork Data Gateway Fixed in Version 4.1.3
- Cisco Expressway Fixed in Version x14.3.3
- Cisco Connected Mobile Experiences Fixed in Version 11.1
- Cisco Telepresence Video Communication Server Fixed in Version x14.3.3
- Cisco Unified Contact Center Domain Manager Version -
- Cisco Unified Contact Center Enterprise Live Data Server Fixed in Version 12.6.2
- Cisco Unified Contact Center Management Portal Version -
- Cisco Unified Attendant Console Advanced Version -
- Cisco Enterprise Chat And Email Version -
- Cisco Ultra Cloud Core Session Management Function Fixed in Version 2024.02.0
- Cisco Ultra Cloud Core Serving Gateway Function Fixed in Version 2024.02.0
- Cisco Ultra Cloud Core Policy Control Function Fixed in Version 2024.01.0
- Cisco Ultra Cloud Core Policy Control Function Version 2024.01.0
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Each of the following must match for the vulnerability to exist.
Vulnerable Packages
The following package name and versions may be associated with CVE-2023-44487
Package Manager | Vulnerable Package | Versions | Fixed In |
---|---|---|---|
maven | io.netty:netty-codec-http2 | < 4.1.100.Final | 4.1.100.Final |