You are here

CVE-2023-44487 - HTTP/2 Rapid Reset Attack

IDs: 
CVE-2023-44487
Keywords: 
HTTP/2, streams, DoS
Description: 

CVE-2023-44487, also known as "HTTP/2 Rapid Reset Attack" is related to HTTP/2 capable web servers where rapid stream generation and cancellation can result in additional load which could lead to a Denial of Service. For details see [1,2].

Airlock Gateway uses Apache/mod_http2 and Airlock Microgateway uses Envoy to provide HTTP/2 for front-side/downstream connections. Apache/mod_http2 in turn uses Nghttp2 as implementation of HTTP/2.

Hotfix HF0055 is available to update Airlock Gateway to the newest version of Nghttp2 which mitigates the problem (details see [3]).

We do not recommend disabling HTTP/2 in general, because HTTP/2 does not only provide better performance but also provides some security benefits over the text-based 1.x version of the protocol.

Resolution: 

We recommend applying HF0055 for Airlock Gateway.

If you want to disable HTTP/2 for front-side connections on Airlock Gateway you can do this individually on any Virtual Host in the Configuration Center.

Other WAF vendors recommend limiting the number of parallel HTTP/2 streams per connection. Airlock Gateway already limits the number of streams per TCP connection to 100. We do not recommend changing this value.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration