CVE-2023-44487
Published: 10 October 2023
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Notes
| Author | Note |
|---|---|
| mdeslaur | The nginx developers do not consider nginx to be affected by this issue due to the default configuration restricting the number of requests per connectiong (keepalive_requests). They did provide a patch to harden nginx even further in environments where the default are substantially modified. haproxy was fixed in 2018 by the commit listed below Debian's tomcat9 update caused a regression, investigate before fixing tomcat packages. |
| ccdm94 | see https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html for more information on nginx developer's position regarding this CVE. |
| 0xnishit | for golang-1.21 and 1.20, it is same patch as CVE-2023-39325 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
dotnet6 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Released
(6.0.123-0ubuntu1~22.04.1)
|
|
| lunar |
Released
(6.0.123-0ubuntu1~23.04.1)
|
|
| mantic |
Released
(6.0.123-0ubuntu1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(6.0.23)
|
|
| xenial |
Does not exist
|
|
|
dotnet7 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Released
(7.0.112-0ubuntu1~22.04.1)
|
|
| lunar |
Released
(7.0.112-0ubuntu1~23.04.1)
|
|
| mantic |
Released
(7.0.112-0ubuntu1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(7.0.12)
|
|
| xenial |
Does not exist
|
|
|
dotnet8 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Not vulnerable
(8.0.102-8.0.2-0ubuntu1~22.04.1)
|
|
| lunar |
Does not exist
|
|
| mantic |
Released
(8.0.100-8.0.0~rc2-0ubuntu1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.0.0-rc.2)
|
|
| xenial |
Does not exist
|
|
|
golang Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.10 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
golang-1.13 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
golang-1.14 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Needs triage
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.16 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.17 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Needs triage
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.18 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
golang-1.19 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.20 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(1.20.3-1ubuntu0.1~20.04.1)
|
|
| jammy |
Released
(1.20.3-1ubuntu0.1~22.04.1)
|
|
| lunar |
Released
(1.20.3-1ubuntu0.2)
|
|
| mantic |
Released
(1.20.8-1ubuntu0.23.10.1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.21 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(1.21.1-1~ubuntu20.04.2)
|
|
| jammy |
Released
(1.21.1-1~ubuntu22.04.2)
|
|
| lunar |
Released
(1.21.1-1~ubuntu23.04.2)
|
|
| mantic |
Released
(1.21.1-1ubuntu0.23.10.1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.6 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
golang-1.8 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
golang-1.9 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
h2o Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needs triage
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
haproxy Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Not vulnerable
(2.0.31-0ubuntu0.2)
|
|
| jammy |
Not vulnerable
(2.4.22-0ubuntu0.22.04.2)
|
|
| lunar |
Not vulnerable
(2.6.9-1ubuntu1.1)
|
|
| mantic |
Not vulnerable
(2.6.15-1ubuntu2)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
Patches: upstream: http://git.haproxy.org/?p=haproxy.git;a=commit;h=f210191dc |
||
|
netty Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Needed
|
|
| jammy |
Needed
|
|
| kinetic |
Ignored
(end of life, was needs-triage)
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needed
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
nghttp2 Launchpad, Ubuntu, Debian |
bionic |
Released
(1.30.0-1ubuntu1+esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
| focal |
Released
(1.40.0-1ubuntu0.2)
|
|
| jammy |
Released
(1.43.0-1ubuntu0.1)
|
|
| lunar |
Released
(1.52.0-1ubuntu0.1)
|
|
| mantic |
Released
(1.55.1-1ubuntu0.1)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(1.7.1-1ubuntu0.1~esm2)
Available with Ubuntu Pro |
|
|
Patches: upstream: https://github.com/nghttp2/nghttp2/pull/1961 upstream: https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 |
||
|
nginx Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
|
| focal |
Not vulnerable
|
|
| jammy |
Not vulnerable
|
|
| lunar |
Not vulnerable
|
|
| mantic |
Not vulnerable
|
|
| trusty |
Not vulnerable
|
|
| upstream |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
|
Patches: upstream: https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9 |
||
|
nodejs Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needs triage
|
|
| trusty |
Needs triage
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
tomcat10 Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of standard support)
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needs triage
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Released
(10.1.14)
|
|
| xenial |
Ignored
(end of standard support)
|
|
|
Patches: upstream: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 |
||
|
tomcat8 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.5.94)
|
|
| xenial |
Needs triage
|
|
|
tomcat9 Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needs triage
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Released
(9.0.81)
|
|
| xenial |
Ignored
(end of standard support)
|
|
|
Patches: upstream: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a |
||
|
trafficserver Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
| focal |
Needs triage
|
|
| jammy |
Needs triage
|
|
| lunar |
Ignored
(end of life, was needs-triage)
|
|
| mantic |
Needs triage
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
Patches: upstream: https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://www.mail-archive.com/haproxy@formilux.org/msg44134.html
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- https://my.f5.com/manage/s/article/K000137106
- https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- https://www.mail-archive.com/haproxy@formilux.org/msg44134.html
- https://devblogs.microsoft.com/dotnet/october-2023-updates/
- https://ubuntu.com/security/notices/USN-6427-1
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
- https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
- https://ubuntu.com/security/notices/USN-6427-2
- https://ubuntu.com/security/notices/USN-6438-1
- https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
- https://ubuntu.com/security/notices/USN-6505-1
- https://ubuntu.com/security/notices/USN-6574-1
- https://www.cve.org/CVERecord?id=CVE-2023-44487
- https://ubuntu.com/security/notices/USN-6754-1
- NVD
- Launchpad
- Debian