You are here
CVE-2023-44487 - HTTP/2 Rapid Reset Attack
Last update on 13. October 2023 - 14:56.
CVE-2023-44487, also known as "HTTP/2 Rapid Reset Attack" is related to HTTP/2 capable web servers where rapid stream generation and cancellation can result in additional load which could lead to a Denial of Service. For details see [1,2].
Airlock Gateway uses Apache/mod_http2 and Airlock Microgateway uses Envoy to provide HTTP/2 for front-side/downstream connections. Apache/mod_http2 in turn uses Nghttp2 as implementation of HTTP/2.
Hotfix HF0055 is available to update Airlock Gateway to the newest version of Nghttp2 which mitigates the problem (details see [3]).
We do not recommend disabling HTTP/2 in general, because HTTP/2 does not only provide better performance but also provides some security benefits over the text-based 1.x version of the protocol.
We recommend applying HF0055 for Airlock Gateway.
If you want to disable HTTP/2 for front-side connections on Airlock Gateway you can do this individually on any Virtual Host in the Configuration Center.
Other WAF vendors recommend limiting the number of parallel HTTP/2 streams per connection. Airlock Gateway already limits the number of streams per TCP connection to 100. We do not recommend changing this value.