Security

Mitigation Instructions for CVE-2023-44487

Written by CyRisk Vulnerability Management Team | Feb 22, 2024 7:03:26 PM

SUBJECT: CVE-2023-44487 Uncontrolled Resource Consumption

TECH STACK: 

  • HTTP/2 Protocol
  • Software nghttp2 (up to version 1.57.0)
  • Netty (up to version 4.1.100
  • Envoy (versions 1.24.10, 1.25.9, 1.26.4, 1.27.0)
  • Eclipse Jetty (up to version 9.4.53, from 10.0.0 to 10.0.17, from 11.0.0 to 11.0.17, from 12.0.0 to 12.0.2)
  • Caddy Server (up to version 2.7.5)

DATE(S) ISSUED: 10/10/2023

NVD Last Modified: 02/02/2024

CRITICALITY: HIGH (CVE Base Score: 7.5)

OVERVIEW: 

This vulnerability affects the HTTP/2 Protocol, widely used for web communication. It allows attackers to send rapid requests and cancellations, consuming server resources and potentially causing denial-of-service (DoS), exploited in October 2023, causing record-breaking DoS attacks.

ATTACK MECHANISMS:

  1. Attacker sends a large number of HTTP/2 connection requests.
  2. Server allocates resources to handle each request.
  3. Before processing the request, the attacker cancels it immediately.
  4. Server resources are wasted without generating any useful work.
  5. Repeating this process rapidly exhausts server resources, leading to DoS.

AFFECTED SYSTEMS:

  1. Any system implementing the HTTP/2 protocol is potentially vulnerable.
  2. Specific software mentioned includes nghttp2, Netty, Envoy, Jetty, and Caddy Server (certain versions).

MITIGATION SOLUTION: 

  1. Update software to patched versions (refer to vendor advisories).
  2. Implement rate limiting on HTTP/2 connections and requests.
  3. Consider alternative protocols like HTTP/3 with better resource management.

Confirmation & Additional Information:

  1. This vulnerability highlights the importance of keeping software updated and applying security patches promptly.
  2. Mitigations may vary depending on your specific software and environment.
  3. Consult the provided resources for detailed information and vendor-specific recommendations.

REFERENCES:

Third Party Advisories:

  1. Red Hat
  2. Ars Technica
  3. Amazon Web Services
  4. Cloudflare
  5. LiteSpeed Technologies
  6. Qualys
  7. Vespa AI