Описание
MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
Обходное решение
The following workarounds might be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave either of these workarounds in place:
Disable the HTTP/2 protocol on your web server by using the Registry Editor
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
- Click Start, click Run, type Regedit in the Open box, and then click OK.
- Locate and then click the following registry subkey:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
- Set DWORD type values
EnableHttp2Tls
andEnableHttp2Cleartext
to one of the following:- Set to 0 to disable HTTP/2
- Set to 1 to enable HTTP/2
- Exit Registry Editor.
- Restart the computer.
Include a protocols setting for each Kestrel endpoint to limit your application to HTTP1.1
For .NET and Kestrel, servers without HTTP/2 enabled are not affected. To limit your application to HTTP1.1 via config, edit your appsettings.json to include a protocols setting for each endpoint:
"Kestrel": { "Endpoints": { "http": { // your existing config "Protocols": "Http1" }, "https": { // your existing config "Protocols": "Http1" } } }
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Windows Server 2016 | ||
| Windows 10 Version 1607 for 32-bit Systems | ||
| Windows 10 Version 1607 for x64-based Systems | ||
| Windows Server 2016 (Server Core installation) | ||
| Windows 10 Version 1809 for 32-bit Systems | ||
| Windows 10 Version 1809 for x64-based Systems | ||
| Windows 10 Version 1809 for ARM64-based Systems | ||
| Windows Server 2019 | ||
| Windows Server 2019 (Server Core installation) | ||
| Windows Server 2022 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
DOS
EPSS
Связанные уязвимости
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
The HTTP/2 protocol allows a denial of service (server resource consum ...
Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container, virt-pr-helper-container
EPSS