Vulnerability - CVE-2023-44487

›

›vulnerability›CVE-2023-44487

Name

CVE-2023-44487

Source

NVD ( link)Debian ( link)

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CWEs

Published Date

Oct 10, 2023

Updated Date

Jun 17, 2026

Workaround

-

Advisories

http://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List

http://www.openwall.com/lists/oss-security/2023/10/10/7Mailing List

http://www.openwall.com/lists/oss-security/2023/10/13/4Mailing List

http://www.openwall.com/lists/oss-security/2023/10/13/9Mailing List

http://www.openwall.com/lists/oss-security/2023/10/18/4Mailing List

http://www.openwall.com/lists/oss-security/2023/10/18/8Mailing List

http://www.openwall.com/lists/oss-security/2023/10/19/6Mailing List

http://www.openwall.com/lists/oss-security/2023/10/20/8Mailing List

https://access.redhat.com/security/cve/cve-2023-44487Vendor Advisory

https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/Press/Media Coverage

https://aws.amazon.com/security/security-bulletins/AWS-2023-011/Third Party Advisory

https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/Technical Description

https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/Third Party Advisory

https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/Vendor Advisory

https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attackPress/Media Coverage

https://blog.vespa.ai/cve-2023-44487/Vendor Advisory

https://bugzilla.proxmox.com/show_bug.cgi?id=4988Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=2242803Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=1216123Issue Tracking

https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9Mailing List

https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/Technical Description

https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attackTechnical Description

https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715Third Party Advisory

https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cveBroken Link

https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764Vendor Advisory

https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088Issue Tracking

https://github.com/Azure/AKS/issues/3947Issue Tracking

https://github.com/Kong/kong/discussions/11741Issue Tracking

https://github.com/advisories/GHSA-qppj-fm5r-hxr3Vendor Advisory

https://github.com/advisories/GHSA-vx74-f528-fxqgMitigation

https://github.com/advisories/GHSA-xpw8-rcwv-8f8pPatch

https://github.com/akka/akka-http/issues/4323Issue Tracking

https://github.com/alibaba/tengine/issues/1872Issue Tracking

https://github.com/apache/apisix/issues/10320Issue Tracking

https://github.com/apache/httpd-site/pull/10Issue Tracking

https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113Product

https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2Product

https://github.com/apache/trafficserver/pull/10564Issue Tracking

https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487Vendor Advisory

https://github.com/bcdannyboy/CVE-2023-44487Third Party Advisory

https://github.com/caddyserver/caddy/issues/5877Issue Tracking

https://github.com/caddyserver/caddy/releases/tag/v2.7.5Release Notes

https://github.com/dotnet/announcements/issues/277Issue Tracking

https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73Product

https://github.com/eclipse/jetty.project/issues/10679Issue Tracking

https://github.com/envoyproxy/envoy/pull/30055Issue Tracking

https://github.com/etcd-io/etcd/issues/16740Issue Tracking

https://github.com/facebook/proxygen/pull/466Issue Tracking

https://github.com/golang/go/issues/63417Issue Tracking

https://github.com/grpc/grpc-go/pull/6703Issue Tracking

https://github.com/grpc/grpc/releases/tag/v1.59.2Mailing List

https://github.com/h2o/h2o/pull/3291Issue Tracking

https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqfVendor Advisory

https://github.com/haproxy/haproxy/issues/2312Issue Tracking

https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244Product

https://github.com/junkurihara/rust-rpxy/issues/97Issue Tracking

https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1Patch

https://github.com/kazu-yamamoto/http2/issues/93Issue Tracking

https://github.com/kubernetes/kubernetes/pull/121120Issue Tracking

https://github.com/line/armeria/pull/5232Issue Tracking

https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632Patch

https://github.com/micrictor/http2-rst-streamExploit

https://github.com/microsoft/CBL-Mariner/pull/6381Issue Tracking

https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61Patch

https://github.com/nghttp2/nghttp2/pull/1961Issue Tracking

https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0Release Notes

https://github.com/ninenines/cowboy/issues/1615Issue Tracking

https://github.com/nodejs/node/pull/50121Issue Tracking

https://github.com/openresty/openresty/issues/930Issue Tracking

https://github.com/opensearch-project/data-prepper/issues/3474Issue Tracking

https://github.com/oqtane/oqtane.framework/discussions/3367Issue Tracking

https://github.com/projectcontour/contour/pull/5826Issue Tracking

https://github.com/tempesta-tech/tempesta/issues/1986Issue Tracking

https://github.com/varnishcache/varnish-cache/issues/3996Issue Tracking

https://groups.google.com/g/golang-announce/c/iNNxDTCjZvoMailing List

https://istio.io/latest/news/security/istio-security-2023-004/Vendor Advisory

https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/Vendor Advisory

https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87qMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00023.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00024.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00045.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00047.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/11/msg00001.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/11/msg00012.htmlMailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/Mailing List

https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.htmlMailing List

https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.htmlMailing List

https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.htmlThird Party Advisory

https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/Patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487Mitigation

https://my.f5.com/manage/s/article/K000137106Vendor Advisory

https://netty.io/news/2023/10/10/4-1-100-Final.htmlRelease Notes

https://news.ycombinator.com/item?id=37830987Issue Tracking

https://news.ycombinator.com/item?id=37830998Issue Tracking

https://news.ycombinator.com/item?id=37831062Issue Tracking

https://news.ycombinator.com/item?id=37837043Issue Tracking

https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/Third Party Advisory

https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffectedThird Party Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZVendor Advisory

https://security.gentoo.org/glsa/202311-09Third Party Advisory

https://security.netapp.com/advisory/ntap-20231016-0001/Third Party Advisory

https://security.netapp.com/advisory/ntap-20240426-0007/Third Party Advisory

https://security.netapp.com/advisory/ntap-20240621-0006/Exploit

https://security.netapp.com/advisory/ntap-20240621-0007/Third Party Advisory

https://security.paloaltonetworks.com/CVE-2023-44487Vendor Advisory

https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14Release Notes

https://ubuntu.com/security/CVE-2023-44487Vendor Advisory

https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/Third Party Advisory

https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487US Government Resource

https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-eventPress/Media Coverage

https://www.debian.org/security/2023/dsa-5521Mailing List

https://www.debian.org/security/2023/dsa-5522Mailing List

https://www.debian.org/security/2023/dsa-5540Mailing List

https://www.debian.org/security/2023/dsa-5549Mailing List

https://www.debian.org/security/2023/dsa-5558Mailing List

https://www.debian.org/security/2023/dsa-5570Third Party Advisory

https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487Third Party Advisory

https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/Vendor Advisory

https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/Mitigation

https://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List

https://www.phoronix.com/news/HTTP2-Rapid-Reset-AttackPress/Media Coverage

https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/Press/Media Coverage

http://www.openwall.com/lists/oss-security/2023/10/13/4Mailing List

http://www.openwall.com/lists/oss-security/2023/10/13/9Mailing List

http://www.openwall.com/lists/oss-security/2023/10/18/4Mailing List

http://www.openwall.com/lists/oss-security/2023/10/18/8Mailing List

http://www.openwall.com/lists/oss-security/2023/10/19/6Mailing List

http://www.openwall.com/lists/oss-security/2023/10/20/8Mailing List

http://www.openwall.com/lists/oss-security/2025/08/13/6Third Party Advisory

https://access.redhat.com/security/cve/cve-2023-44487Vendor Advisory

https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/Press/Media Coverage

https://aws.amazon.com/security/security-bulletins/AWS-2023-011/Third Party Advisory

https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/Technical Description

https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/Third Party Advisory

https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/Vendor Advisory

https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attackPress/Media Coverage

https://blog.vespa.ai/cve-2023-44487/Vendor Advisory

https://bugzilla.proxmox.com/show_bug.cgi?id=4988Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=2242803Issue Tracking

https://bugzilla.suse.com/show_bug.cgi?id=1216123Issue Tracking

https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9Mailing List

https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/Technical Description

https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attackTechnical Description

https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125Vendor Advisory

https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715Third Party Advisory

https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cveBroken Link

https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764Vendor Advisory

https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088Issue Tracking

https://github.com/Azure/AKS/issues/3947Issue Tracking

https://github.com/Kong/kong/discussions/11741Issue Tracking

https://github.com/advisories/GHSA-qppj-fm5r-hxr3Vendor Advisory

https://github.com/advisories/GHSA-vx74-f528-fxqgMitigation

https://github.com/advisories/GHSA-xpw8-rcwv-8f8pPatch

https://github.com/akka/akka-http/issues/4323Issue Tracking

https://github.com/alibaba/tengine/issues/1872Issue Tracking

https://github.com/apache/apisix/issues/10320Issue Tracking

https://github.com/apache/httpd-site/pull/10Issue Tracking

https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113Product

https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2Product

https://github.com/apache/trafficserver/pull/10564Issue Tracking

https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487Vendor Advisory

https://github.com/bcdannyboy/CVE-2023-44487Third Party Advisory

https://github.com/caddyserver/caddy/issues/5877Issue Tracking

https://github.com/caddyserver/caddy/releases/tag/v2.7.5Release Notes

https://github.com/dotnet/announcements/issues/277Issue Tracking

https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73Product

https://github.com/eclipse/jetty.project/issues/10679Issue Tracking

https://github.com/envoyproxy/envoy/pull/30055Issue Tracking

https://github.com/etcd-io/etcd/issues/16740Issue Tracking

https://github.com/facebook/proxygen/pull/466Issue Tracking

https://github.com/golang/go/issues/63417Issue Tracking

https://github.com/grpc/grpc-go/pull/6703Issue Tracking

https://github.com/h2o/h2o/pull/3291Issue Tracking

https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqfVendor Advisory

https://github.com/haproxy/haproxy/issues/2312Issue Tracking

https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244Product

https://github.com/junkurihara/rust-rpxy/issues/97Issue Tracking

https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1Patch

https://github.com/kazu-yamamoto/http2/issues/93Issue Tracking

https://github.com/kubernetes/kubernetes/pull/121120Issue Tracking

https://github.com/line/armeria/pull/5232Issue Tracking

https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632Patch

https://github.com/micrictor/http2-rst-streamExploit

https://github.com/microsoft/CBL-Mariner/pull/6381Issue Tracking

https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61Patch

https://github.com/nghttp2/nghttp2/pull/1961Issue Tracking

https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0Release Notes

https://github.com/ninenines/cowboy/issues/1615Issue Tracking

https://github.com/nodejs/node/pull/50121Issue Tracking

https://github.com/openresty/openresty/issues/930Issue Tracking

https://github.com/opensearch-project/data-prepper/issues/3474Issue Tracking

https://github.com/oqtane/oqtane.framework/discussions/3367Issue Tracking

https://github.com/projectcontour/contour/pull/5826Issue Tracking

https://github.com/tempesta-tech/tempesta/issues/1986Issue Tracking

https://github.com/varnishcache/varnish-cache/issues/3996Issue Tracking

https://groups.google.com/g/golang-announce/c/iNNxDTCjZvoMailing List

https://istio.io/latest/news/security/istio-security-2023-004/Vendor Advisory

https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/Vendor Advisory

https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87qMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00020.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00023.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00024.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00045.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/10/msg00047.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/11/msg00001.htmlMailing List

https://lists.debian.org/debian-lts-announce/2023/11/msg00012.htmlMailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3/Mailing List

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4/Mailing List

https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.htmlMailing List

https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.htmlMailing List

https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.htmlThird Party Advisory

https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/Patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487Mitigation

https://my.f5.com/manage/s/article/K000137106Vendor Advisory

https://netty.io/news/2023/10/10/4-1-100-Final.htmlRelease Notes

https://news.ycombinator.com/item?id=37830987Issue Tracking

https://news.ycombinator.com/item?id=37830998Issue Tracking

https://news.ycombinator.com/item?id=37831062Issue Tracking

https://news.ycombinator.com/item?id=37837043Issue Tracking

https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response/Third Party Advisory

https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffectedThird Party Advisory

https://security.gentoo.org/glsa/202311-09Third Party Advisory

https://security.netapp.com/advisory/ntap-20231016-0001/Third Party Advisory

https://security.netapp.com/advisory/ntap-20240426-0007/Third Party Advisory

https://security.netapp.com/advisory/ntap-20240621-0006/Exploit

https://security.netapp.com/advisory/ntap-20240621-0007/Third Party Advisory

https://security.paloaltonetworks.com/CVE-2023-44487Vendor Advisory

https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14Release Notes

https://ubuntu.com/security/CVE-2023-44487Vendor Advisory

https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/Third Party Advisory

https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487US Government Resource

https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-eventPress/Media Coverage

https://www.debian.org/security/2023/dsa-5521Mailing List

https://www.debian.org/security/2023/dsa-5522Mailing List

https://www.debian.org/security/2023/dsa-5540Mailing List

https://www.debian.org/security/2023/dsa-5549Mailing List

https://www.debian.org/security/2023/dsa-5558Mailing List

https://www.debian.org/security/2023/dsa-5570Third Party Advisory

https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487Third Party Advisory

https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487/Vendor Advisory

https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/Mitigation

https://www.openwall.com/lists/oss-security/2023/10/10/6Mailing List

https://www.phoronix.com/news/HTTP2-Rapid-Reset-AttackPress/Media Coverage

https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/Press/Media Coverage

https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-causeThird Party Advisory

https://cert-portal.siemens.com/productcert/html/ssa-082556.htmlThird Party Advisory

https://cert-portal.siemens.com/productcert/html/ssa-341067.htmlThird Party Advisory

https://cert-portal.siemens.com/productcert/html/ssa-784301.htmlThird Party Advisory

https://cert-portal.siemens.com/productcert/html/ssa-832273.htmlThird Party Advisory

https://cert-portal.siemens.com/productcert/html/ssa-915275.htmlThird Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487US Government Resource

Analysis#

Affected Component

Analysis

go-binary-native

python3-grpcio-tools

Vulnerability Ratings#

7.5

CVSSv31

7.5

CVSSv31

NaN

other

Others affected components#

Name

Project

Project Version

Version

Status

buildroot

2025.02.x

1.66.1

Not Affected

buildroot

2025.02.x

1.64.0

Not Affected

buildroot

2025.02.x

1.30.2

Not Affected

buildroot

master

1.80.0

Not Affected

buildroot

master

1.68.1

Not Affected

buildroot

master

1.30.2

Not Affected

golang-bootstrap

openwrt

master

1.24.13-r1

Not Affected

openwrt

master

1.26.4-r1

Not Affected

openwrt

master

1.66.0-r1

Not Affected

golang-bootstrap

openwrt

openwrt-25.12

1.24.13-r1

Not Affected

openwrt

openwrt-25.12

1.26.4-r1

Not Affected

openwrt

openwrt-25.12

1.66.0-r1

Not Affected

yocto

master

1.26.4

Not Affected

go-binary-native

yocto

master

1.26.4

Not Affected

yocto

master

1.80.0

Not Affected

yocto

master

1.69.0

Not Affected

yocto

master

1.30.2

Not Affected

yocto

master

1.78.0

Not Affected

python3-grpcio-tools

yocto

master

1.76.0

Not Affected

yocto

scarthgap

1.22.12

Not Affected

go-binary-native

yocto

scarthgap

1.22.12

Not Affected

yocto

scarthgap

1.60.1

Not Affected

yocto

scarthgap

1.61.0

Not Affected

yocto

scarthgap

1.25.5

Not Affected

yocto

scarthgap

1.62.2

Not Affected

python3-grpcio-tools

yocto

scarthgap

1.62.2

Not Affected

Resolved with patches#

nghttp2 (yocto:kirkstone)

#

Title

Author

Resolve

1

Rework session management

Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>

CVE-2023-44487