CVE-2023-44487

Name	CVE-2023-44487
Description	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3617-1, DLA-3621-1, DLA-3638-1, DLA-3641-1, DLA-3645-1, DLA-3656-1, DSA-5521-1, DSA-5522-1, DSA-5540-1, DSA-5549-1, DSA-5558-1, DSA-5570-1
Debian Bugs	1053769, 1053770, 1053801, 1054232, 1054234, 1054427, 1056156

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
dnsdist (PTS)	buster	1.3.3-3	fixed
	bullseye	1.5.1-3	vulnerable
	bookworm	1.7.3-2	vulnerable
	trixie	1.8.3-2	fixed
	sid	1.9.3-1	fixed
grpc (PTS)	buster	1.16.1-1	vulnerable
	bullseye	1.30.2-3	vulnerable
	bookworm	1.51.1-3	vulnerable
	trixie	1.51.1-4	vulnerable
	sid	1.51.1-4.1	vulnerable
h2o (PTS)	buster	2.2.5+dfsg2-2+deb10u1	vulnerable
	buster (security)	2.2.5+dfsg2-2+deb10u2	fixed
	bullseye	2.2.5+dfsg2-6	vulnerable
	bookworm	2.2.5+dfsg2-7	vulnerable
	trixie	2.2.5+dfsg2-8	fixed
	sid	2.2.5+dfsg2-8.1	fixed
haproxy (PTS)	buster	1.8.19-1+deb10u3	fixed
	buster (security)	1.8.19-1+deb10u5	fixed
	bullseye (security), bullseye	2.2.9-2+deb11u6	fixed
	bookworm, bookworm (security)	2.6.12-1+deb12u1	fixed
	trixie	2.9.5-1	fixed
	sid	2.9.7-1	fixed
jetty9 (PTS)	buster	9.4.16-0+deb10u1	vulnerable
	buster (security)	9.4.50-4+deb10u2	fixed
	bullseye	9.4.50-4+deb11u1	fixed
	bullseye (security)	9.4.50-4+deb11u2	fixed
	bookworm	9.4.50-4+deb12u2	fixed
	bookworm (security)	9.4.50-4+deb12u3	fixed
	sid, trixie	9.4.54-1	fixed
netty (PTS)	buster	1:4.1.33-1+deb10u2	vulnerable
	buster (security)	1:4.1.33-1+deb10u4	fixed
	bullseye (security), bullseye	1:4.1.48-4+deb11u2	fixed
	bookworm, bookworm (security)	1:4.1.48-7+deb12u1	fixed
	sid, trixie	1:4.1.48-9	fixed
nghttp2 (PTS)	buster	1.36.0-2+deb10u1	vulnerable
	buster (security)	1.36.0-2+deb10u2	fixed
	bullseye (security), bullseye	1.43.0-1+deb11u1	fixed
	bookworm, bookworm (security)	1.52.0-1+deb12u1	fixed
	trixie	1.59.0-1	fixed
	sid	1.61.0-1	fixed
nginx (PTS)	buster	1.14.2-2+deb10u4	vulnerable
	buster (security)	1.14.2-2+deb10u5	vulnerable
	bullseye (security), bullseye	1.18.0-6.1+deb11u3	vulnerable
	bookworm	1.22.1-9	vulnerable
	sid, trixie	1.24.0-2	fixed
tomcat10 (PTS)	bookworm	10.1.6-1+deb12u1	fixed
	bookworm (security)	10.1.6-1+deb12u2	fixed
	sid, trixie	10.1.23-1	fixed
tomcat9 (PTS)	buster	9.0.31-1~deb10u6	vulnerable
	buster (security)	9.0.31-1~deb10u12	fixed
	bullseye	9.0.43-2~deb11u9	fixed
	bullseye (security)	9.0.43-2~deb11u10	fixed
	sid, trixie, bookworm	9.0.70-2	fixed
trafficserver (PTS)	buster	8.0.2+ds-1+deb10u6	vulnerable
	buster (security)	8.1.7-0+deb10u3	fixed
	bullseye	8.1.9+ds-1~deb11u1	fixed
	bullseye (security)	8.1.10+ds-1~deb11u1	fixed
	bookworm	9.2.3+ds-1+deb12u1	fixed
	bookworm (security)	9.2.4+ds-0+deb12u1	fixed
	sid	9.2.4+ds-2	fixed
varnish (PTS)	buster	6.1.1-1+deb10u3	vulnerable
	buster (security)	6.1.1-1+deb10u4	vulnerable
	bullseye (security), bullseye	6.5.1-1+deb11u3	vulnerable
	bookworm	7.1.1-1.1	vulnerable
	sid, trixie	7.1.1-1.2	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
dnsdist	source	buster	(not affected)
dnsdist	source	(unstable)	1.8.2-2
grpc	source	(unstable)	(unfixed)
h2o	source	buster	2.2.5+dfsg2-2+deb10u2		DLA-3638-1
h2o	source	(unstable)	2.2.5+dfsg2-8			1054232
haproxy	source	(unstable)	1.8.13-1
jetty9	source	buster	9.4.50-4+deb10u1		DLA-3641-1
jetty9	source	bullseye	9.4.50-4+deb11u1		DSA-5540-1
jetty9	source	bookworm	9.4.50-4+deb12u2		DSA-5540-1
jetty9	source	(unstable)	9.4.53-1
netty	source	buster	1:4.1.33-1+deb10u4		DLA-3656-1
netty	source	bullseye	1:4.1.48-4+deb11u2		DSA-5558-1
netty	source	bookworm	1:4.1.48-7+deb12u1		DSA-5558-1
netty	source	(unstable)	1:4.1.48-8			1054234
nghttp2	source	buster	1.36.0-2+deb10u2		DLA-3621-1
nghttp2	source	bullseye	1.43.0-1+deb11u1		DSA-5570-1
nghttp2	source	bookworm	1.52.0-1+deb12u1		DSA-5570-1
nghttp2	source	(unstable)	1.57.0-1			1053769
nginx	source	(unstable)	1.24.0-2	unimportant		1053770
tomcat10	source	bookworm	10.1.6-1+deb12u1		DSA-5521-1
tomcat10	source	(unstable)	10.1.14-1
tomcat9	source	buster	9.0.31-1~deb10u9		DLA-3617-1
tomcat9	source	bullseye	9.0.43-2~deb11u7		DSA-5522-1
tomcat9	source	(unstable)	9.0.70-2
trafficserver	source	buster	8.1.7-0+deb10u3		DLA-3645-1
trafficserver	source	bullseye	8.1.9+ds-1~deb11u1		DSA-5549-1
trafficserver	source	bookworm	9.2.3+ds-1+deb12u1		DSA-5549-1
trafficserver	source	(unstable)	9.2.3+ds-1			1053801, 1054427
varnish	source	(unstable)	(unfixed)			1056156

Notes

[bookworm] - grpc <no-dsa> (Minor issue)
[bullseye] - grpc <no-dsa> (Minor issue)
[buster] - grpc <no-dsa> (Minor issue)
[buster] - dnsdist <not-affected> (HTTP/2 support was added later)
[bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
[bullseye] - varnish <ignored> (Minor issue, too intrusive to backport)
Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14)
Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81)
Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version
ATS: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
ATS: https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0)
ATS: https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.9)
grpc: https://github.com/grpc/grpc/pull/34763
h2o: https://github.com/h2o/h2o/commit/28fe15117b909588bf14269a0e1c6ec4548579fe
dnsdist: h2o change breaks the ABI, hence dnsdist switched to a vendored fix in 1.8.2-2
haproxy: http://git.haproxy.org/?p=haproxy.git;a=commit;h=f210191dcdf32a2cb263c5bd22b7fc98698ce59a (v1.9-dev1)
haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44134.html
haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44136.html
nginx: https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
nginx: https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9
nghttp2: https://github.com/nghttp2/nghttp2/pull/1961
nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
nghttp2: https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 (v1.57.0)
jetty9: https://github.com/eclipse/jetty.project/issues/10679
jetty9: https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009
https://www.openwall.com/lists/oss-security/2023/10/10/6
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
Go uses CVE-2023-39325 to track this
netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
netty: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 (netty-4.1.100.Final)
varnish: https://varnish-cache.org/security/VSV00013.html
varnish: https://github.com/varnishcache/varnish-cache/issues/3996
https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2023-44487
Unaffected implementations not requiring code changes:
- rust-hyper: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- apache2: https://chaos.social/@icing/111210915918780532
- lighttpd: https://www.openwall.com/lists/oss-security/2023/10/13/9