CVE-2023-44487

critical-risk

Published 2023-10-10

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Do I need to act?

94.4% chance of exploitation in next 30 days

EPSS score — higher than 6% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

1 public exploit available

52426

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Big-Ip Advanced Firewall Manager

Big-Ip Advanced Web Application Firewall

Big-Ip Analytics

Big-Ip Application Acceleration Manager

Big-Ip Application Security Manager

Big-Ip Application Visibility And Reporting

Big-Ip Carrier-Grade Nat

Big-Ip Ddos Hybrid Defender

Big-Ip Domain Name System

Big-Ip Fraud Protection Service

Big-Ip Global Traffic Manager

Affected Vendors

Cisco Debian Redhat Microsoft Apache Apple F5 Fedoraproject Ietf Netapp Facebook Eclipse Jenkins Amazon Nodejs Varnish Cache Project Netty Linecorp Golang Dena Nghttp2 Grpc Akka Openresty Traefik Caddyserver Envoyproxy Istio Konghq Projectcontour Kazu-Yamamoto Linkerd

References (287)

Mailing List http://www.openwall.com/lists/oss-security/2023/10/10/6

Mailing List http://www.openwall.com/lists/oss-security/2023/10/10/7

Mailing List http://www.openwall.com/lists/oss-security/2023/10/13/4

Mailing List http://www.openwall.com/lists/oss-security/2023/10/13/9

Mailing List http://www.openwall.com/lists/oss-security/2023/10/18/4

Mailing List http://www.openwall.com/lists/oss-security/2023/10/18/8

Mailing List http://www.openwall.com/lists/oss-security/2023/10/19/6

Mailing List http://www.openwall.com/lists/oss-security/2023/10/20/8

Vendor Advisory https://access.redhat.com/security/cve/cve-2023-44487

Press/Media Coverage https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to...

Third Party Advisory https://aws.amazon.com/security/security-bulletins/AWS-2023-011/

Technical Description https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

Third Party Advisory https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-atta...

Vendor Advisory https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/

Press/Media Coverage https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-4448...

Vendor Advisory https://blog.vespa.ai/cve-2023-44487/

Issue Tracking https://bugzilla.proxmox.com/show_bug.cgi?id=4988

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2242803

Issue Tracking https://bugzilla.suse.com/show_bug.cgi?id=1216123

Mailing List https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629...

and 267 more references

/ 100

critical-risk

Severity 26/34 · High

Exploitability 27/34 · High

Exposure 33/34 · Critical