CVE-2023-44487

NameCVE-2023-44487
DescriptionThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3617-1, DLA-3621-1, DLA-3638-1, DLA-3641-1, DLA-3645-1, DLA-3656-1, DSA-5521-1, DSA-5522-1, DSA-5540-1, DSA-5549-1, DSA-5558-1, DSA-5570-1, ELA-984-1
Debian Bugs1053769, 1053770, 1053801, 1054232, 1054234, 1054427, 1056156, 1074421

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dnsdist (PTS)stretch1.1.0-2+deb9u1fixed
buster1.3.3-3fixed
bullseye1.5.1-3vulnerable
bookworm1.7.3-2vulnerable
trixie1.9.6-1fixed
sid1.9.8-1fixed
grpc (PTS)buster1.16.1-1vulnerable
bullseye1.30.2-3vulnerable
bookworm1.51.1-3vulnerable
sid, trixie1.51.1-5vulnerable
h2o (PTS)buster (security), buster, buster (lts)2.2.5+dfsg2-2+deb10u2fixed
bullseye2.2.5+dfsg2-6vulnerable
bookworm2.2.5+dfsg2-7vulnerable
sid, trixie2.2.5+dfsg2-9fixed
haproxy (PTS)jessie, jessie (lts)1.5.8-3+deb8u4fixed
stretch (security)1.7.5-2+deb9u1fixed
stretch (lts), stretch1.7.5-2+deb9u2fixed
buster (security), buster, buster (lts)1.8.19-1+deb10u5fixed
bullseye (security), bullseye2.2.9-2+deb11u6fixed
bookworm (security), bookworm2.6.12-1+deb12u1fixed
sid, trixie3.0.7-1fixed
jetty8 (PTS)jessie, jessie (lts)8.1.16-4+deb8u1fixed
jetty9 (PTS)stretch (security), stretch (lts), stretch9.2.30-0+deb9u2fixed
buster (security), buster, buster (lts)9.4.50-4+deb10u2fixed
bullseye (security), bullseye9.4.50-4+deb11u2fixed
bookworm (security), bookworm9.4.50-4+deb12u3fixed
sid, trixie9.4.56-1fixed
netty (PTS)jessie, jessie (lts)1:3.2.6.Final-2+deb8u2fixed
stretch (security)1:4.1.7-2+deb9u3vulnerable
stretch (lts), stretch1:4.1.7-2+deb9u5vulnerable
buster (security), buster, buster (lts)1:4.1.33-1+deb10u5fixed
bullseye (security), bullseye1:4.1.48-4+deb11u2fixed
bookworm (security), bookworm1:4.1.48-7+deb12u1fixed
sid, trixie1:4.1.48-10fixed
netty-3.9 (PTS)jessie, jessie (lts)3.9.0.Final-1+deb8u2fixed
stretch (security)3.9.9.Final-1+deb9u1fixed
stretch (lts), stretch3.9.9.Final-1+deb9u2fixed
nghttp2 (PTS)jessie, jessie (lts)0.6.4-2+deb8u1vulnerable
stretch (security)1.18.1-1+deb9u2vulnerable
stretch (lts), stretch1.18.1-1+deb9u4fixed
buster (security), buster, buster (lts)1.36.0-2+deb10u3fixed
bullseye1.43.0-1+deb11u1fixed
bullseye (security)1.43.0-1+deb11u2fixed
bookworm1.52.0-1+deb12u2fixed
bookworm (security)1.52.0-1+deb12u1fixed
sid, trixie1.64.0-1fixed
nginx (PTS)jessie, jessie (lts)1.6.2-5+deb8u10vulnerable
stretch (security)1.10.3-1+deb9u7vulnerable
stretch (lts), stretch1.10.3-1+deb9u8vulnerable
buster (security), buster, buster (lts)1.14.2-2+deb10u5vulnerable
bullseye (security), bullseye1.18.0-6.1+deb11u3vulnerable
bookworm1.22.1-9vulnerable
sid, trixie1.26.0-3fixed
tomcat10 (PTS)bookworm (security), bookworm10.1.6-1+deb12u2fixed
sid, trixie10.1.34-1fixed
tomcat7 (PTS)jessie, jessie (lts)7.0.56-3+really7.0.109-1+deb8u6fixed
stretch7.0.75-1fixed
tomcat8 (PTS)jessie, jessie (lts)8.0.14-1+deb8u28fixed
stretch (security)8.5.54-0+deb9u8vulnerable
stretch (lts), stretch8.5.54-0+deb9u15fixed
tomcat9 (PTS)buster (security), buster, buster (lts)9.0.31-1~deb10u12fixed
bullseye (security), bullseye9.0.43-2~deb11u10fixed
bookworm9.0.70-2fixed
sid, trixie9.0.95-1fixed
trafficserver (PTS)buster (security), buster, buster (lts)8.1.7-0+deb10u4fixed
bullseye8.1.10+ds-1~deb11u1fixed
bullseye (security)8.1.11+ds-0+deb11u1fixed
bookworm (security), bookworm9.2.5+ds-0+deb12u1fixed
sid9.2.5+ds-1fixed
varnish (PTS)jessie, jessie (lts)4.0.2-1+deb8u1fixed
stretch (security), stretch (lts), stretch5.0.0-7+deb9u3vulnerable
buster (security), buster, buster (lts)6.1.1-1+deb10u4vulnerable
bullseye (security), bullseye6.5.1-1+deb11u3vulnerable
bookworm7.1.1-1.1vulnerable
sid, trixie7.6.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dnsdistsourcestretch(not affected)
dnsdistsourcebuster(not affected)
dnsdistsource(unstable)1.8.2-2
grpcsource(unstable)(unfixed)1074421
h2osourcebuster2.2.5+dfsg2-2+deb10u2DLA-3638-1
h2osource(unstable)2.2.5+dfsg2-81054232
haproxysourcejessie(not affected)
haproxysourcestretch(not affected)
haproxysource(unstable)1.8.13-1
jetty8sourcejessie(not affected)
jetty8source(unstable)(unfixed)
jetty9sourcestretch(not affected)
jetty9sourcebuster9.4.50-4+deb10u1DLA-3641-1
jetty9sourcebullseye9.4.50-4+deb11u1DSA-5540-1
jetty9sourcebookworm9.4.50-4+deb12u2DSA-5540-1
jetty9source(unstable)9.4.53-1
nettysourcejessie(not affected)
nettysourcebuster1:4.1.33-1+deb10u4DLA-3656-1
nettysourcebullseye1:4.1.48-4+deb11u2DSA-5558-1
nettysourcebookworm1:4.1.48-7+deb12u1DSA-5558-1
nettysource(unstable)1:4.1.48-81054234
netty-3.9source(unstable)(not affected)
nghttp2sourcestretch1.18.1-1+deb9u3ELA-984-1
nghttp2sourcebuster1.36.0-2+deb10u2DLA-3621-1
nghttp2sourcebullseye1.43.0-1+deb11u1DSA-5570-1
nghttp2sourcebookworm1.52.0-1+deb12u1DSA-5570-1
nghttp2source(unstable)1.57.0-11053769
nginxsource(unstable)1.24.0-2unimportant1053770
tomcat10sourcebookworm10.1.6-1+deb12u1DSA-5521-1
tomcat10source(unstable)10.1.14-1
tomcat7source(unstable)(not affected)
tomcat8sourcejessie(not affected)
tomcat8sourcestretch8.5.54-0+deb9u12
tomcat8source(unstable)(unfixed)
tomcat9sourcebuster9.0.31-1~deb10u9DLA-3617-1
tomcat9sourcebullseye9.0.43-2~deb11u7DSA-5522-1
tomcat9source(unstable)9.0.70-2
trafficserversourcebuster8.1.7-0+deb10u3DLA-3645-1
trafficserversourcebullseye8.1.9+ds-1~deb11u1DSA-5549-1
trafficserversourcebookworm9.2.3+ds-1+deb12u1DSA-5549-1
trafficserversource(unstable)9.2.3+ds-11053801, 1054427
varnishsourcejessie(not affected)
varnishsource(unstable)7.5.0-11056156

Notes

[bookworm] - grpc <no-dsa> (Minor issue)
[bullseye] - grpc <no-dsa> (Minor issue)
[buster] - grpc <no-dsa> (Minor issue)
[bookworm] - h2o <no-dsa> (Minor issue)
[bullseye] - h2o <postponed> (Minor issue, DoS)
[bookworm] - dnsdist <no-dsa> (Minor issue)
[bullseye] - dnsdist <no-dsa> (Minor issue)
[buster] - dnsdist <not-affected> (HTTP/2 support was added later)
[bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
[bullseye] - varnish <ignored> (Minor issue, too intrusive to backport)
Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14)
Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81)
Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version
ATS: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
ATS: https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0)
ATS: https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.9)
grpc: https://github.com/grpc/grpc/pull/34763
h2o: https://github.com/h2o/h2o/commit/28fe15117b909588bf14269a0e1c6ec4548579fe
dnsdist: h2o change breaks the ABI, hence dnsdist switched to a vendored fix in 1.8.2-2
haproxy: http://git.haproxy.org/?p=haproxy.git;a=commit;h=f210191dcdf32a2cb263c5bd22b7fc98698ce59a (v1.9-dev1)
haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44134.html
haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44136.html
nginx: https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
nginx: https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9
nghttp2: https://github.com/nghttp2/nghttp2/pull/1961
nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
nghttp2: https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 (v1.57.0)
jetty9: https://github.com/eclipse/jetty.project/issues/10679
jetty9: https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009
https://www.openwall.com/lists/oss-security/2023/10/10/6
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
Go uses CVE-2023-39325 to track this
netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
netty: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 (netty-4.1.100.Final)
varnish: https://varnish-cache.org/security/VSV00013.html
varnish: https://github.com/varnishcache/varnish-cache/issues/3996
https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2023-44487
Unaffected implementations not requiring code changes:
- rust-hyper: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- apache2: https://chaos.social/@icing/111210915918780532
- lighttpd: https://www.openwall.com/lists/oss-security/2023/10/13/9
[stretch] - dnsdist <not-affected> (HTTP/2 support was added later)
[stretch] - haproxy <not-affected> (HTTP/2 support added in 1.8)
[jessie] - haproxy <not-affected> (HTTP/2 support added in 1.8)
[jessie] - jetty8 <not-affected> (HTTP/2 support was added later)
[stretch] - jetty9 <not-affected> (HTTP/2 support was added later)
[stretch] - netty <ignored> (Fix requires a complete overhaul of the codec-http2 module)
[jessie] - netty <not-affected> (HTTP/2 support was added later)
- netty-3.9 <not-affected> (HTTP/2 support was added later)
- tomcat7 <not-affected> (HTTP/2 support was added later)
[jessie] - tomcat8 <not-affected> (HTTP/2 support was added later)
[stretch] - varnish <ignored> (Experimental HTTP/2 support is not recommended)
[jessie] - varnish <not-affected> (HTTP/2 support was added later)

Search for package or bug name: Reporting problems