CVE-2023-44487

Отчет

NGINX has been marked as Moderate Impact because, for performance and resource consumption reasons, NGINX limits the number of concurrent streams to a default of 128. In addition, to optimally balance network and server performance, NGINX allows the client to persist HTTP connections for up to 1000 requests by default using an HTTP keepalive. The majority of RHEL utilities are not long-running applications; instead, they are command-line tools. These tools utilize Golang package as build-time dependency, which is why they are classified as having a "Moderate" level of impact. rhc component is no longer impacted by CVE-2023-44487 & CVE-2023-39325.

Меры по смягчению последствий

Users are strongly urged to update their software as soon as fixes are available. There are several mitigation approaches for this flaw.

1. If circumstances permit, users may disable http2 endpoints to circumvent the flaw altogether until a fix is available.
2. IP-based blocking or flood protection and rate control tools may be used at network endpoints to filter incoming traffic.
3. Several package specific mitigations are also available. a. nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/ b. netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p c. haproxy: https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487 d. nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg e. golang: The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.