CVE-2023-44487

NameCVE-2023-44487
DescriptionThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3617-1, DLA-3621-1, DLA-3638-1, DLA-3641-1, DLA-3645-1, DLA-3656-1, DSA-5521-1, DSA-5522-1, DSA-5540-1, DSA-5549-1, DSA-5558-1, DSA-5570-1
Debian Bugs1053769, 1053770, 1053801, 1054232, 1054234, 1054427, 1056156, 1074421

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dnsdist (PTS)bullseye1.5.1-3vulnerable
bookworm1.7.3-2vulnerable
sid, trixie1.9.6-1fixed
grpc (PTS)bullseye1.30.2-3vulnerable
bookworm1.51.1-3vulnerable
sid, trixie1.51.1-4.1vulnerable
h2o (PTS)bullseye2.2.5+dfsg2-6vulnerable
bookworm2.2.5+dfsg2-7vulnerable
sid2.2.5+dfsg2-8.1fixed
haproxy (PTS)bullseye (security), bullseye2.2.9-2+deb11u6fixed
bookworm, bookworm (security)2.6.12-1+deb12u1fixed
sid, trixie2.9.11-1fixed
jetty9 (PTS)bullseye (security), bullseye9.4.50-4+deb11u2fixed
bookworm, bookworm (security)9.4.50-4+deb12u3fixed
sid, trixie9.4.55-1fixed
netty (PTS)bullseye (security), bullseye1:4.1.48-4+deb11u2fixed
bookworm, bookworm (security)1:4.1.48-7+deb12u1fixed
sid, trixie1:4.1.48-10fixed
nghttp2 (PTS)bullseye1.43.0-1+deb11u1fixed
bullseye (security)1.43.0-1+deb11u2fixed
bookworm, bookworm (security)1.52.0-1+deb12u1fixed
sid, trixie1.63.0-1fixed
nginx (PTS)bullseye (security), bullseye1.18.0-6.1+deb11u3vulnerable
bookworm1.22.1-9vulnerable
sid, trixie1.26.0-3fixed
tomcat10 (PTS)bookworm, bookworm (security)10.1.6-1+deb12u2fixed
sid, trixie10.1.30-1fixed
tomcat9 (PTS)bullseye (security), bullseye9.0.43-2~deb11u10fixed
bookworm9.0.70-2fixed
sid, trixie9.0.95-1fixed
trafficserver (PTS)bullseye8.1.10+ds-1~deb11u1fixed
bullseye (security)8.1.11+ds-0+deb11u1fixed
bookworm9.2.4+ds-0+deb12u1fixed
bookworm (security)9.2.5+ds-0+deb12u1fixed
sid9.2.5+ds-1fixed
varnish (PTS)bullseye (security), bullseye6.5.1-1+deb11u3vulnerable
bookworm7.1.1-1.1vulnerable
sid, trixie7.5.0-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dnsdistsourcebuster(not affected)
dnsdistsource(unstable)1.8.2-2
grpcsource(unstable)(unfixed)1074421
h2osourcebuster2.2.5+dfsg2-2+deb10u2DLA-3638-1
h2osource(unstable)2.2.5+dfsg2-81054232
haproxysource(unstable)1.8.13-1
jetty9sourcebuster9.4.50-4+deb10u1DLA-3641-1
jetty9sourcebullseye9.4.50-4+deb11u1DSA-5540-1
jetty9sourcebookworm9.4.50-4+deb12u2DSA-5540-1
jetty9source(unstable)9.4.53-1
nettysourcebuster1:4.1.33-1+deb10u4DLA-3656-1
nettysourcebullseye1:4.1.48-4+deb11u2DSA-5558-1
nettysourcebookworm1:4.1.48-7+deb12u1DSA-5558-1
nettysource(unstable)1:4.1.48-81054234
nghttp2sourcebuster1.36.0-2+deb10u2DLA-3621-1
nghttp2sourcebullseye1.43.0-1+deb11u1DSA-5570-1
nghttp2sourcebookworm1.52.0-1+deb12u1DSA-5570-1
nghttp2source(unstable)1.57.0-11053769
nginxsource(unstable)1.24.0-2unimportant1053770
tomcat10sourcebookworm10.1.6-1+deb12u1DSA-5521-1
tomcat10source(unstable)10.1.14-1
tomcat9sourcebuster9.0.31-1~deb10u9DLA-3617-1
tomcat9sourcebullseye9.0.43-2~deb11u7DSA-5522-1
tomcat9source(unstable)9.0.70-2
trafficserversourcebuster8.1.7-0+deb10u3DLA-3645-1
trafficserversourcebullseye8.1.9+ds-1~deb11u1DSA-5549-1
trafficserversourcebookworm9.2.3+ds-1+deb12u1DSA-5549-1
trafficserversource(unstable)9.2.3+ds-11053801, 1054427
varnishsource(unstable)7.5.0-11056156

Notes

[bookworm] - grpc <no-dsa> (Minor issue)
[bullseye] - grpc <no-dsa> (Minor issue)
[buster] - grpc <no-dsa> (Minor issue)
[bookworm] - h2o <no-dsa> (Minor issue)
[bullseye] - h2o <postponed> (Minor issue, DoS)
[bookworm] - dnsdist <no-dsa> (Minor issue)
[bullseye] - dnsdist <no-dsa> (Minor issue)
[buster] - dnsdist <not-affected> (HTTP/2 support was added later)
[bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
[bullseye] - varnish <ignored> (Minor issue, too intrusive to backport)
Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14)
Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81)
Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version
ATS: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
ATS: https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0)
ATS: https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.9)
grpc: https://github.com/grpc/grpc/pull/34763
h2o: https://github.com/h2o/h2o/commit/28fe15117b909588bf14269a0e1c6ec4548579fe
dnsdist: h2o change breaks the ABI, hence dnsdist switched to a vendored fix in 1.8.2-2
haproxy: http://git.haproxy.org/?p=haproxy.git;a=commit;h=f210191dcdf32a2cb263c5bd22b7fc98698ce59a (v1.9-dev1)
haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44134.html
haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44136.html
nginx: https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
nginx: https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9
nghttp2: https://github.com/nghttp2/nghttp2/pull/1961
nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
nghttp2: https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 (v1.57.0)
jetty9: https://github.com/eclipse/jetty.project/issues/10679
jetty9: https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009
https://www.openwall.com/lists/oss-security/2023/10/10/6
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
Go uses CVE-2023-39325 to track this
netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
netty: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 (netty-4.1.100.Final)
varnish: https://varnish-cache.org/security/VSV00013.html
varnish: https://github.com/varnishcache/varnish-cache/issues/3996
https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2023-44487
Unaffected implementations not requiring code changes:
- rust-hyper: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- apache2: https://chaos.social/@icing/111210915918780532
- lighttpd: https://www.openwall.com/lists/oss-security/2023/10/13/9

Search for package or bug name: Reporting problems