NVD - CVE-2023-44487

CVE-2023-44487 Detail

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: 7.5 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

ADP: CISA-ADP

Base Score: 7.5 HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
http://www.openwall.com/lists/oss-security/2023/10/13/4	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/13/9	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/18/4	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/18/8	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/19/6	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/20/8	Mailing List
https://access.redhat.com/security/cve/cve-2023-44487	Vendor Advisory
https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/	Press/Media Coverage Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2023-011/	Third Party Advisory
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/	Technical Description Vendor Advisory
https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/	Vendor Advisory
https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/	Vendor Advisory
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack	Press/Media Coverage Third Party Advisory
https://blog.vespa.ai/cve-2023-44487/	Vendor Advisory
https://bugzilla.proxmox.com/show_bug.cgi?id=4988	Issue Tracking Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2242803	Issue Tracking Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1216123	Issue Tracking Vendor Advisory
https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9	Mailing List Patch Vendor Advisory
https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/	Technical Description Vendor Advisory
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack	Technical Description Vendor Advisory
https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125	Vendor Advisory
https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715	Third Party Advisory
https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve	Technical Description Third Party Advisory
https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764	Vendor Advisory
https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088	Third Party Advisory
https://github.com/Azure/AKS/issues/3947	Issue Tracking Vendor Advisory
https://github.com/Kong/kong/discussions/11741	Issue Tracking Vendor Advisory
https://github.com/advisories/GHSA-qppj-fm5r-hxr3	Vendor Advisory
https://github.com/advisories/GHSA-vx74-f528-fxqg	Mitigation Patch Vendor Advisory
https://github.com/advisories/GHSA-xpw8-rcwv-8f8p	Patch Vendor Advisory
https://github.com/akka/akka-http/issues/4323	Issue Tracking Vendor Advisory
https://github.com/alibaba/tengine/issues/1872	Issue Tracking Vendor Advisory
https://github.com/apache/apisix/issues/10320	Issue Tracking Vendor Advisory
https://github.com/apache/httpd-site/pull/10	Issue Tracking Vendor Advisory
https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113	Product Third Party Advisory
https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2	Product Third Party Advisory
https://github.com/apache/trafficserver/pull/10564	Patch Vendor Advisory
https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487	Vendor Advisory
https://github.com/bcdannyboy/CVE-2023-44487	Third Party Advisory
https://github.com/caddyserver/caddy/issues/5877	Issue Tracking Vendor Advisory
https://github.com/caddyserver/caddy/releases/tag/v2.7.5	Release Notes Third Party Advisory
https://github.com/dotnet/announcements/issues/277	Mitigation Vendor Advisory
https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73	Product Release Notes Vendor Advisory
https://github.com/eclipse/jetty.project/issues/10679	Issue Tracking Vendor Advisory
https://github.com/envoyproxy/envoy/pull/30055	Patch Vendor Advisory
https://github.com/etcd-io/etcd/issues/16740	Issue Tracking Patch Vendor Advisory
https://github.com/facebook/proxygen/pull/466	Patch Vendor Advisory
https://github.com/golang/go/issues/63417	Issue Tracking Vendor Advisory
https://github.com/grpc/grpc-go/pull/6703	Patch Vendor Advisory
https://github.com/h2o/h2o/pull/3291	Patch Third Party Advisory
https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf	Vendor Advisory
https://github.com/haproxy/haproxy/issues/2312	Issue Tracking Vendor Advisory
https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244	Product Vendor Advisory
https://github.com/junkurihara/rust-rpxy/issues/97	Issue Tracking Vendor Advisory
https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1	Patch Third Party Advisory
https://github.com/kazu-yamamoto/http2/issues/93	Issue Tracking Third Party Advisory
https://github.com/kubernetes/kubernetes/pull/121120	Patch Vendor Advisory
https://github.com/line/armeria/pull/5232	Issue Tracking Patch Vendor Advisory
https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632	Vendor Advisory
https://github.com/micrictor/http2-rst-stream	Exploit Third Party Advisory
https://github.com/microsoft/CBL-Mariner/pull/6381	Patch Vendor Advisory
https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61	Patch Vendor Advisory
https://github.com/nghttp2/nghttp2/pull/1961	Patch Vendor Advisory
https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0	Release Notes Third Party Advisory
https://github.com/ninenines/cowboy/issues/1615	Issue Tracking Vendor Advisory
https://github.com/nodejs/node/pull/50121	Vendor Advisory
https://github.com/openresty/openresty/issues/930	Issue Tracking Vendor Advisory
https://github.com/opensearch-project/data-prepper/issues/3474	Issue Tracking Patch Vendor Advisory
https://github.com/oqtane/oqtane.framework/discussions/3367	Issue Tracking Vendor Advisory
https://github.com/projectcontour/contour/pull/5826	Issue Tracking Patch Vendor Advisory
https://github.com/tempesta-tech/tempesta/issues/1986	Issue Tracking Vendor Advisory
https://github.com/varnishcache/varnish-cache/issues/3996	Issue Tracking Vendor Advisory
https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo	Mailing List Vendor Advisory
https://istio.io/latest/news/security/istio-security-2023-004/	Vendor Advisory
https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/	Vendor Advisory
https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q	Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/	Mailing List Third Party Advisory
https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html	Mailing List Third Party Advisory
https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html	Mailing List Patch Third Party Advisory
https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html	Third Party Advisory
https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/	Patch Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487	Mitigation Patch Vendor Advisory
https://my.f5.com/manage/s/article/K000137106	Vendor Advisory
https://netty.io/news/2023/10/10/4-1-100-Final.html	Release Notes Vendor Advisory
https://news.ycombinator.com/item?id=37830987	Issue Tracking Third Party Advisory
https://news.ycombinator.com/item?id=37830998	Issue Tracking Press/Media Coverage
https://news.ycombinator.com/item?id=37831062	Issue Tracking Third Party Advisory
https://news.ycombinator.com/item?id=37837043	Issue Tracking
https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/	Third Party Advisory
https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected	Third Party Advisory
https://security.gentoo.org/glsa/202311-09	Third Party Advisory
https://security.netapp.com/advisory/ntap-20231016-0001/	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240426-0007/	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0007/	Third Party Advisory
https://security.paloaltonetworks.com/CVE-2023-44487	Vendor Advisory
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14	Release Notes Vendor Advisory
https://ubuntu.com/security/CVE-2023-44487	Vendor Advisory
https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/	Third Party Advisory
https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487	Third Party Advisory US Government Resource
https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event	Press/Media Coverage Third Party Advisory
https://www.debian.org/security/2023/dsa-5521	Vendor Advisory
https://www.debian.org/security/2023/dsa-5522	Vendor Advisory
https://www.debian.org/security/2023/dsa-5540	Third Party Advisory
https://www.debian.org/security/2023/dsa-5549	Third Party Advisory
https://www.debian.org/security/2023/dsa-5558	Third Party Advisory
https://www.debian.org/security/2023/dsa-5570	Third Party Advisory
https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487	Vendor Advisory
https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/	Vendor Advisory
https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/	Mitigation Vendor Advisory
https://www.openwall.com/lists/oss-security/2023/10/10/6	Mailing List Third Party Advisory
https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack	Press/Media Coverage
https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/	Press/Media Coverage Third Party Advisory

This CVE is in CISA's Known Exploited Vulnerabilities Catalog

Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.

Vulnerability Name	Date Added	Due Date	Required Action
HTTP/2 Rapid Reset Attack Vulnerability	10/10/2023	10/31/2023	Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weakness Enumeration

CWE-ID	CWE Name	Source
NVD-CWE-noinfo	Insufficient Information	NIST
CWE-400	Uncontrolled Resource Consumption	CISA-ADP

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

64 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2023-44487
NVD Published Date:
10/10/2023
NVD Last Modified:
08/14/2024
Source:
MITRE

CVE-2023-44487 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

This CVE is in CISA's Known Exploited Vulnerabilities Catalog

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

Modified Analysis by NIST 8/14/2024 3:57:19 PM

CVE Modified by CISA-ADP 8/01/2024 9:44:53 AM

Modified Analysis by NIST 6/27/2024 2:34:22 PM

CVE Modified by MITRE 6/21/2024 3:15:28 PM

CVE Modified by MITRE 5/14/2024 9:51:03 AM

CVE Modified by MITRE 4/26/2024 5:15:07 AM

Reanalysis by NIST 2/02/2024 10:40:23 AM

Modified Analysis by NIST 12/20/2023 12:55:36 PM

CVE Modified by MITRE 12/01/2023 8:15:08 PM

Modified Analysis by NIST 12/01/2023 9:22:19 AM

CVE Modified by MITRE 11/25/2023 6:15:18 AM

CVE Modified by MITRE 11/19/2023 5:15:30 PM

CVE Modified by MITRE 11/18/2023 4:15:07 PM

CVE Modified by MITRE 11/07/2023 12:15:12 AM

CVE Modified by MITRE 11/06/2023 11:21:36 PM

CVE Modified by MITRE 11/05/2023 10:15:12 PM

CVE Modified by MITRE 11/05/2023 7:15:08 PM

CVE Modified by MITRE 11/03/2023 6:15:11 PM

CVE Modified by MITRE 11/03/2023 5:15:16 PM

CVE Modified by MITRE 11/03/2023 1:15:30 AM

CVE Modified by MITRE 10/31/2023 12:15:09 PM

CVE Modified by MITRE 10/31/2023 3:15:10 AM

CVE Modified by MITRE 10/30/2023 6:15:10 PM

CVE Modified by MITRE 10/29/2023 12:15:10 AM

CVE Modified by MITRE 10/28/2023 11:15:08 PM

CVE Modified by MITRE 10/27/2023 11:15:08 PM

CVE Modified by MITRE 10/26/2023 1:15:25 AM

CVE Modified by MITRE 10/25/2023 11:15:10 PM

CVE Modified by MITRE 10/25/2023 2:17:32 PM

Reanalysis by NIST 10/25/2023 11:26:25 AM

Modified Analysis by NIST 10/24/2023 8:58:07 AM

CVE Modified by MITRE 10/20/2023 5:15:09 PM

CVE Modified by MITRE 10/19/2023 11:15:09 PM

CVE Modified by MITRE 10/19/2023 11:15:09 AM

CVE Modified by MITRE 10/18/2023 11:15:08 PM

CVE Modified by MITRE 10/18/2023 5:15:09 PM

Reanalysis by NIST 10/18/2023 1:01:27 PM

Modified Analysis by NIST 10/18/2023 11:20:46 AM

CVE Modified by MITRE 10/16/2023 9:15:09 PM

CVE Modified by MITRE 10/16/2023 3:15:10 PM

CVE Modified by MITRE 10/16/2023 2:15:16 PM

CVE Modified by MITRE 10/15/2023 3:15:09 PM

CVE Modified by MITRE 10/15/2023 12:15:12 AM

CVE Modified by MITRE 10/13/2023 9:15:46 PM

CVE Modified by MITRE 10/13/2023 5:15:51 PM

Initial Analysis by NIST 10/13/2023 3:32:37 PM

CVE Modified by MITRE 10/13/2023 2:15:09 PM

CVE Modified by MITRE 10/13/2023 12:15:12 PM

CVE Modified by MITRE 10/12/2023 8:15:13 PM

CVE Modified by MITRE 10/12/2023 2:15:11 PM

CVE Modified by MITRE 10/11/2023 6:15:10 PM

CVE Modified by MITRE 10/11/2023 5:15:10 PM

CVE Modified by MITRE 10/11/2023 4:15:10 PM

CVE Modified by MITRE 10/11/2023 3:15:11 AM

CVE Modified by MITRE 10/11/2023 1:15:45 AM

CVE Modified by MITRE 10/10/2023 9:15:08 PM

CVE Modified by MITRE 10/10/2023 8:15:22 PM

CVE Modified by MITRE 10/10/2023 6:15:11 PM

CVE Modified by MITRE 10/10/2023 5:15:09 PM

CVE Modified by MITRE 10/10/2023 3:15:09 PM

CVE Modified by MITRE 10/10/2023 2:15:19 PM

CVE Modified by MITRE 10/10/2023 1:15:13 PM

CVE Modified by MITRE 10/10/2023 12:15:10 PM

CVE Modified by MITRE 10/10/2023 11:15:10 AM

Quick Info