SUBJECT: CVE-2023-44487 Uncontrolled Resource Consumption
TECH STACK:
- HTTP/2 Protocol
- Software nghttp2 (up to version 1.57.0)
- Netty (up to version 4.1.100
- Envoy (versions 1.24.10, 1.25.9, 1.26.4, 1.27.0)
- Eclipse Jetty (up to version 9.4.53, from 10.0.0 to 10.0.17, from 11.0.0 to 11.0.17, from 12.0.0 to 12.0.2)
- Caddy Server (up to version 2.7.5)
DATE(S) ISSUED: 10/10/2023
NVD Last Modified: 02/02/2024
CRITICALITY: HIGH (CVE Base Score: 7.5)
OVERVIEW:
This vulnerability affects the HTTP/2 Protocol, widely used for web communication. It allows attackers to send rapid requests and cancellations, consuming server resources and potentially causing denial-of-service (DoS), exploited in October 2023, causing record-breaking DoS attacks.
ATTACK MECHANISMS:
- Attacker sends a large number of HTTP/2 connection requests.
- Server allocates resources to handle each request.
- Before processing the request, the attacker cancels it immediately.
- Server resources are wasted without generating any useful work.
- Repeating this process rapidly exhausts server resources, leading to DoS.
AFFECTED SYSTEMS:
- Any system implementing the HTTP/2 protocol is potentially vulnerable.
- Specific software mentioned includes nghttp2, Netty, Envoy, Jetty, and Caddy Server (certain versions).
MITIGATION SOLUTION:
- Update software to patched versions (refer to vendor advisories).
- Implement rate limiting on HTTP/2 connections and requests.
- Consider alternative protocols like HTTP/3 with better resource management.
Confirmation & Additional Information:
- This vulnerability highlights the importance of keeping software updated and applying security patches promptly.
- Mitigations may vary depending on your specific software and environment.
- Consult the provided resources for detailed information and vendor-specific recommendations.
REFERENCES:
Third Party Advisories:
- Red Hat
- Ars Technica
- Amazon Web Services
- Cloudflare
- LiteSpeed Technologies
- Qualys
- Vespa AI
