CVE-2023-44487

NameCVE-2023-44487
DescriptionThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3617-1, DLA-3621-1, DLA-3638-1, DLA-3641-1, DLA-3645-1, DLA-3656-1, DSA-5521-1, DSA-5522-1, DSA-5540-1, DSA-5549-1, DSA-5558-1, DSA-5570-1
Debian Bugs1053769, 1053770, 1053801, 1054232, 1054234, 1054427, 1056156

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dnsdist (PTS)buster1.3.3-3fixed
bullseye1.5.1-3vulnerable
bookworm1.7.3-2vulnerable
sid, trixie1.8.2-3fixed
h2o (PTS)buster2.2.5+dfsg2-2+deb10u1vulnerable
buster (security)2.2.5+dfsg2-2+deb10u2fixed
bullseye2.2.5+dfsg2-6vulnerable
bookworm2.2.5+dfsg2-7vulnerable
sid, trixie2.2.5+dfsg2-8fixed
haproxy (PTS)buster1.8.19-1+deb10u3fixed
buster (security)1.8.19-1+deb10u4fixed
bullseye (security), bullseye2.2.9-2+deb11u5fixed
bookworm2.6.12-1fixed
trixie2.6.15-1fixed
sid2.8.5-1fixed
jetty9 (PTS)buster9.4.16-0+deb10u1vulnerable
buster (security)9.4.50-4+deb10u1fixed
bullseye9.4.39-3+deb11u2vulnerable
bullseye (security)9.4.50-4+deb11u1fixed
bookworm, bookworm (security)9.4.50-4+deb12u2fixed
sid, trixie9.4.53-1fixed
netty (PTS)buster1:4.1.33-1+deb10u2vulnerable
buster (security)1:4.1.33-1+deb10u4fixed
bullseye1:4.1.48-4+deb11u1vulnerable
bullseye (security)1:4.1.48-4+deb11u2fixed
bookworm, bookworm (security)1:4.1.48-7+deb12u1fixed
trixie1:4.1.48-8fixed
sid1:4.1.48-9fixed
nghttp2 (PTS)buster1.36.0-2+deb10u1vulnerable
buster (security)1.36.0-2+deb10u2fixed
bullseye1.43.0-1vulnerable
bullseye (security)1.43.0-1+deb11u1fixed
bookworm, bookworm (security)1.52.0-1+deb12u1fixed
sid, trixie1.58.0-1fixed
nginx (PTS)buster1.14.2-2+deb10u4vulnerable
buster (security)1.14.2-2+deb10u5vulnerable
bullseye (security), bullseye1.18.0-6.1+deb11u3vulnerable
bookworm1.22.1-9vulnerable
sid, trixie1.24.0-2fixed
tomcat10 (PTS)bookworm, bookworm (security)10.1.6-1+deb12u1fixed
sid, trixie10.1.16-1fixed
tomcat9 (PTS)buster9.0.31-1~deb10u6vulnerable
buster (security)9.0.31-1~deb10u10fixed
bullseye9.0.43-2~deb11u6vulnerable
bullseye (security)9.0.43-2~deb11u9fixed
sid, trixie, bookworm9.0.70-2fixed
trafficserver (PTS)buster8.0.2+ds-1+deb10u6vulnerable
buster (security)8.1.7-0+deb10u3fixed
bullseye8.1.7+ds-1~deb11u1vulnerable
bullseye (security)8.1.9+ds-1~deb11u1fixed
sid, bookworm, bookworm (security)9.2.3+ds-1+deb12u1fixed
varnish (PTS)buster6.1.1-1+deb10u3vulnerable
buster (security)6.1.1-1+deb10u4vulnerable
bullseye (security), bullseye6.5.1-1+deb11u3vulnerable
sid, trixie, bookworm7.1.1-1.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dnsdistsourcebuster(not affected)
dnsdistsource(unstable)1.8.2-2
h2osourcebuster2.2.5+dfsg2-2+deb10u2DLA-3638-1
h2osource(unstable)2.2.5+dfsg2-81054232
haproxysource(unstable)1.8.13-1
jetty9sourcebuster9.4.50-4+deb10u1DLA-3641-1
jetty9sourcebullseye9.4.50-4+deb11u1DSA-5540-1
jetty9sourcebookworm9.4.50-4+deb12u2DSA-5540-1
jetty9source(unstable)9.4.53-1
nettysourcebuster1:4.1.33-1+deb10u4DLA-3656-1
nettysourcebullseye1:4.1.48-4+deb11u2DSA-5558-1
nettysourcebookworm1:4.1.48-7+deb12u1DSA-5558-1
nettysource(unstable)1:4.1.48-81054234
nghttp2sourcebuster1.36.0-2+deb10u2DLA-3621-1
nghttp2sourcebullseye1.43.0-1+deb11u1DSA-5570-1
nghttp2sourcebookworm1.52.0-1+deb12u1DSA-5570-1
nghttp2source(unstable)1.57.0-11053769
nginxsource(unstable)1.24.0-2unimportant1053770
tomcat10sourcebookworm10.1.6-1+deb12u1DSA-5521-1
tomcat10source(unstable)10.1.14-1
tomcat9sourcebuster9.0.31-1~deb10u9DLA-3617-1
tomcat9sourcebullseye9.0.43-2~deb11u7DSA-5522-1
tomcat9source(unstable)9.0.70-2
trafficserversourcebuster8.1.7-0+deb10u3DLA-3645-1
trafficserversourcebullseye8.1.9+ds-1~deb11u1DSA-5549-1
trafficserversourcebookworm9.2.3+ds-1+deb12u1DSA-5549-1
trafficserversource(unstable)9.2.3+ds-11053801, 1054427
varnishsource(unstable)(unfixed)1056156

Notes

[buster] - dnsdist <not-affected> (HTTP/2 support was added later)
Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14)
Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81)
Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version
ATS: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
ATS: https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0)
ATS: https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.9)
h2o: https://github.com/h2o/h2o/commit/28fe15117b909588bf14269a0e1c6ec4548579fe
dnsdist: h2o change breaks the ABI, hence dnsdist switched to a vendored fix in 1.8.2-2
haproxy: http://git.haproxy.org/?p=haproxy.git;a=commit;h=f210191dcdf32a2cb263c5bd22b7fc98698ce59a (v1.9-dev1)
haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44134.html
haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44136.html
nginx: https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
nginx: https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9
nghttp2: https://github.com/nghttp2/nghttp2/pull/1961
nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
nghttp2: https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 (v1.57.0)
jetty9: https://github.com/eclipse/jetty.project/issues/10679
jetty9: https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009
https://www.openwall.com/lists/oss-security/2023/10/10/6
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
Go uses CVE-2023-39325 to track this
netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
netty: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 (netty-4.1.100.Final)
varnish: https://varnish-cache.org/security/VSV00013.html
varnish: https://github.com/varnishcache/varnish-cache/issues/3996
Unaffected implementations not requiring code changes:
- rust-hyper: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- apache2: https://chaos.social/@icing/111210915918780532
- lighttpd: https://www.openwall.com/lists/oss-security/2023/10/13/9

Search for package or bug name: Reporting problems