Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2023-44487

Опубликовано: 10 окт. 2023
Источник: debian

Описание

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
tomcat9fixed9.0.70-2package
tomcat10fixed10.1.14-1package
trafficserverfixed9.2.3+ds-1package
grpcunfixedpackage
grpcno-dsabookwormpackage
grpcno-dsabullseyepackage
grpcno-dsabusterpackage
h2ofixed2.2.5+dfsg2-8package
h2ono-dsabookwormpackage
h2opostponedbullseyepackage
haproxyfixed1.8.13-1package
nginxfixed1.24.0-2package
nghttp2fixed1.57.0-1package
jetty9fixed9.4.53-1package
nettyfixed1:4.1.48-8package
dnsdistfixed1.8.2-2package
dnsdistno-dsabookwormpackage
dnsdistno-dsabullseyepackage
dnsdistnot-affectedbusterpackage
varnishfixed7.5.0-1package
varnishignoredbookwormpackage
varnishignoredbullseyepackage

Примечания

  • Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14)

  • Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81)

  • Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version

  • ATS: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q

  • ATS: https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0)

  • ATS: https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.9)

  • grpc: https://github.com/grpc/grpc/pull/34763

  • h2o: https://github.com/h2o/h2o/commit/28fe15117b909588bf14269a0e1c6ec4548579fe

  • dnsdist: h2o change breaks the ABI, hence dnsdist switched to a vendored fix in 1.8.2-2

  • haproxy: http://git.haproxy.org/?p=haproxy.git;a=commit;h=f210191dcdf32a2cb263c5bd22b7fc98698ce59a (v1.9-dev1)

  • haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44134.html

  • haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44136.html

  • nginx: https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html

  • nginx: https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9

  • nghttp2: https://github.com/nghttp2/nghttp2/pull/1961

  • nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg

  • nghttp2: https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 (v1.57.0)

  • jetty9: https://github.com/eclipse/jetty.project/issues/10679

  • jetty9: https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009

  • https://www.openwall.com/lists/oss-security/2023/10/10/6

  • https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

  • Go uses CVE-2023-39325 to track this

  • netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p

  • netty: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 (netty-4.1.100.Final)

  • varnish: https://varnish-cache.org/security/VSV00013.html

  • varnish: https://github.com/varnishcache/varnish-cache/issues/3996

  • https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2023-44487

  • Unaffected implementations not requiring code changes:

  • - rust-hyper: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected

  • - apache2: https://chaos.social/@icing/111210915918780532

  • - lighttpd: https://www.openwall.com/lists/oss-security/2023/10/13/9

Связанные уязвимости

ubuntu логотип

CVE-2023-44487

CVSS3: 7.5
ubuntu
больше 1 года назад

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

redhat логотип

CVE-2023-44487

CVSS3: 7.5
redhat
больше 1 года назад

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

nvd логотип

CVE-2023-44487

CVSS3: 7.5
nvd
больше 1 года назад

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

msrc логотип

CVE-2023-44487

msrc
больше 1 года назад

MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack

suse-cvrf логотип

SUSE-SU-2023:4624-1

suse-cvrf
больше 1 года назад

Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container