Name | CVE-2023-44487 |
Description | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-3617-1, DLA-3621-1, DLA-3638-1, DLA-3641-1, DLA-3645-1, DLA-3656-1, DSA-5521-1, DSA-5522-1, DSA-5540-1, DSA-5549-1, DSA-5558-1, DSA-5570-1, ELA-984-1 |
Debian Bugs | 1053769, 1053770, 1053801, 1054232, 1054234, 1054427, 1056156, 1074421 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
dnsdist (PTS) | stretch | 1.1.0-2+deb9u1 | fixed |
buster | 1.3.3-3 | fixed | |
bullseye | 1.5.1-3 | vulnerable | |
bookworm | 1.7.3-2 | vulnerable | |
sid, trixie | 1.9.6-1 | fixed | |
grpc (PTS) | buster | 1.16.1-1 | vulnerable |
bullseye | 1.30.2-3 | vulnerable | |
bookworm | 1.51.1-3 | vulnerable | |
sid, trixie | 1.51.1-4.1 | vulnerable | |
h2o (PTS) | buster (security), buster, buster (lts) | 2.2.5+dfsg2-2+deb10u2 | fixed |
bullseye | 2.2.5+dfsg2-6 | vulnerable | |
bookworm | 2.2.5+dfsg2-7 | vulnerable | |
sid, trixie | 2.2.5+dfsg2-9 | fixed | |
haproxy (PTS) | jessie, jessie (lts) | 1.5.8-3+deb8u4 | fixed |
stretch (security) | 1.7.5-2+deb9u1 | fixed | |
stretch (lts), stretch | 1.7.5-2+deb9u2 | fixed | |
buster (security), buster, buster (lts) | 1.8.19-1+deb10u5 | fixed | |
bullseye (security), bullseye | 2.2.9-2+deb11u6 | fixed | |
bookworm (security), bookworm | 2.6.12-1+deb12u1 | fixed | |
sid, trixie | 2.9.11-1 | fixed | |
jetty8 (PTS) | jessie, jessie (lts) | 8.1.16-4+deb8u1 | fixed |
jetty9 (PTS) | stretch (security), stretch (lts), stretch | 9.2.30-0+deb9u2 | fixed |
buster (security), buster, buster (lts) | 9.4.50-4+deb10u2 | fixed | |
bullseye (security), bullseye | 9.4.50-4+deb11u2 | fixed | |
bookworm (security), bookworm | 9.4.50-4+deb12u3 | fixed | |
sid, trixie | 9.4.56-1 | fixed | |
netty (PTS) | jessie, jessie (lts) | 1:3.2.6.Final-2+deb8u2 | fixed |
stretch (security) | 1:4.1.7-2+deb9u3 | vulnerable | |
stretch (lts), stretch | 1:4.1.7-2+deb9u5 | vulnerable | |
buster (security), buster, buster (lts) | 1:4.1.33-1+deb10u5 | fixed | |
bullseye (security), bullseye | 1:4.1.48-4+deb11u2 | fixed | |
bookworm (security), bookworm | 1:4.1.48-7+deb12u1 | fixed | |
sid, trixie | 1:4.1.48-10 | fixed | |
netty-3.9 (PTS) | jessie, jessie (lts) | 3.9.0.Final-1+deb8u2 | fixed |
stretch (security) | 3.9.9.Final-1+deb9u1 | fixed | |
stretch (lts), stretch | 3.9.9.Final-1+deb9u2 | fixed | |
nghttp2 (PTS) | jessie, jessie (lts) | 0.6.4-2+deb8u1 | vulnerable |
stretch (security) | 1.18.1-1+deb9u2 | vulnerable | |
stretch (lts), stretch | 1.18.1-1+deb9u4 | fixed | |
buster (security), buster, buster (lts) | 1.36.0-2+deb10u3 | fixed | |
bullseye | 1.43.0-1+deb11u1 | fixed | |
bullseye (security) | 1.43.0-1+deb11u2 | fixed | |
bookworm (security), bookworm | 1.52.0-1+deb12u1 | fixed | |
sid, trixie | 1.64.0-1 | fixed | |
nginx (PTS) | jessie, jessie (lts) | 1.6.2-5+deb8u10 | vulnerable |
stretch (security) | 1.10.3-1+deb9u7 | vulnerable | |
stretch (lts), stretch | 1.10.3-1+deb9u8 | vulnerable | |
buster (security), buster, buster (lts) | 1.14.2-2+deb10u5 | vulnerable | |
bullseye (security), bullseye | 1.18.0-6.1+deb11u3 | vulnerable | |
bookworm | 1.22.1-9 | vulnerable | |
sid, trixie | 1.26.0-3 | fixed | |
tomcat10 (PTS) | bookworm (security), bookworm | 10.1.6-1+deb12u2 | fixed |
sid, trixie | 10.1.31-1 | fixed | |
tomcat7 (PTS) | jessie, jessie (lts) | 7.0.56-3+really7.0.109-1+deb8u6 | fixed |
stretch | 7.0.75-1 | fixed | |
tomcat8 (PTS) | jessie, jessie (lts) | 8.0.14-1+deb8u28 | fixed |
stretch (security) | 8.5.54-0+deb9u8 | vulnerable | |
stretch (lts), stretch | 8.5.54-0+deb9u15 | fixed | |
tomcat9 (PTS) | buster (security), buster, buster (lts) | 9.0.31-1~deb10u12 | fixed |
bullseye (security), bullseye | 9.0.43-2~deb11u10 | fixed | |
bookworm | 9.0.70-2 | fixed | |
sid, trixie | 9.0.95-1 | fixed | |
trafficserver (PTS) | buster (security), buster, buster (lts) | 8.1.7-0+deb10u4 | fixed |
bullseye | 8.1.10+ds-1~deb11u1 | fixed | |
bullseye (security) | 8.1.11+ds-0+deb11u1 | fixed | |
bookworm | 9.2.4+ds-0+deb12u1 | fixed | |
bookworm (security) | 9.2.5+ds-0+deb12u1 | fixed | |
sid | 9.2.5+ds-1 | fixed | |
varnish (PTS) | jessie, jessie (lts) | 4.0.2-1+deb8u1 | fixed |
stretch (security), stretch (lts), stretch | 5.0.0-7+deb9u3 | vulnerable | |
buster (security), buster, buster (lts) | 6.1.1-1+deb10u4 | vulnerable | |
bullseye (security), bullseye | 6.5.1-1+deb11u3 | vulnerable | |
bookworm | 7.1.1-1.1 | vulnerable | |
sid, trixie | 7.6.0-2 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
dnsdist | source | stretch | (not affected) | |||
dnsdist | source | buster | (not affected) | |||
dnsdist | source | (unstable) | 1.8.2-2 | |||
grpc | source | (unstable) | (unfixed) | 1074421 | ||
h2o | source | buster | 2.2.5+dfsg2-2+deb10u2 | DLA-3638-1 | ||
h2o | source | (unstable) | 2.2.5+dfsg2-8 | 1054232 | ||
haproxy | source | jessie | (not affected) | |||
haproxy | source | stretch | (not affected) | |||
haproxy | source | (unstable) | 1.8.13-1 | |||
jetty8 | source | jessie | (not affected) | |||
jetty8 | source | (unstable) | (unfixed) | |||
jetty9 | source | stretch | (not affected) | |||
jetty9 | source | buster | 9.4.50-4+deb10u1 | DLA-3641-1 | ||
jetty9 | source | bullseye | 9.4.50-4+deb11u1 | DSA-5540-1 | ||
jetty9 | source | bookworm | 9.4.50-4+deb12u2 | DSA-5540-1 | ||
jetty9 | source | (unstable) | 9.4.53-1 | |||
netty | source | jessie | (not affected) | |||
netty | source | buster | 1:4.1.33-1+deb10u4 | DLA-3656-1 | ||
netty | source | bullseye | 1:4.1.48-4+deb11u2 | DSA-5558-1 | ||
netty | source | bookworm | 1:4.1.48-7+deb12u1 | DSA-5558-1 | ||
netty | source | (unstable) | 1:4.1.48-8 | 1054234 | ||
netty-3.9 | source | (unstable) | (not affected) | |||
nghttp2 | source | stretch | 1.18.1-1+deb9u3 | ELA-984-1 | ||
nghttp2 | source | buster | 1.36.0-2+deb10u2 | DLA-3621-1 | ||
nghttp2 | source | bullseye | 1.43.0-1+deb11u1 | DSA-5570-1 | ||
nghttp2 | source | bookworm | 1.52.0-1+deb12u1 | DSA-5570-1 | ||
nghttp2 | source | (unstable) | 1.57.0-1 | 1053769 | ||
nginx | source | (unstable) | 1.24.0-2 | unimportant | 1053770 | |
tomcat10 | source | bookworm | 10.1.6-1+deb12u1 | DSA-5521-1 | ||
tomcat10 | source | (unstable) | 10.1.14-1 | |||
tomcat7 | source | (unstable) | (not affected) | |||
tomcat8 | source | jessie | (not affected) | |||
tomcat8 | source | stretch | 8.5.54-0+deb9u12 | |||
tomcat8 | source | (unstable) | (unfixed) | |||
tomcat9 | source | buster | 9.0.31-1~deb10u9 | DLA-3617-1 | ||
tomcat9 | source | bullseye | 9.0.43-2~deb11u7 | DSA-5522-1 | ||
tomcat9 | source | (unstable) | 9.0.70-2 | |||
trafficserver | source | buster | 8.1.7-0+deb10u3 | DLA-3645-1 | ||
trafficserver | source | bullseye | 8.1.9+ds-1~deb11u1 | DSA-5549-1 | ||
trafficserver | source | bookworm | 9.2.3+ds-1+deb12u1 | DSA-5549-1 | ||
trafficserver | source | (unstable) | 9.2.3+ds-1 | 1053801, 1054427 | ||
varnish | source | jessie | (not affected) | |||
varnish | source | (unstable) | 7.5.0-1 | 1056156 |
[bookworm] - grpc <no-dsa> (Minor issue)
[bullseye] - grpc <no-dsa> (Minor issue)
[buster] - grpc <no-dsa> (Minor issue)
[bookworm] - h2o <no-dsa> (Minor issue)
[bullseye] - h2o <postponed> (Minor issue, DoS)
[bookworm] - dnsdist <no-dsa> (Minor issue)
[bullseye] - dnsdist <no-dsa> (Minor issue)
[buster] - dnsdist <not-affected> (HTTP/2 support was added later)
[bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
[bullseye] - varnish <ignored> (Minor issue, too intrusive to backport)
Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14)
Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81)
Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version
ATS: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q
ATS: https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0)
ATS: https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.9)
grpc: https://github.com/grpc/grpc/pull/34763
h2o: https://github.com/h2o/h2o/commit/28fe15117b909588bf14269a0e1c6ec4548579fe
dnsdist: h2o change breaks the ABI, hence dnsdist switched to a vendored fix in 1.8.2-2
haproxy: http://git.haproxy.org/?p=haproxy.git;a=commit;h=f210191dcdf32a2cb263c5bd22b7fc98698ce59a (v1.9-dev1)
haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44134.html
haproxy: https://www.mail-archive.com/haproxy@formilux.org/msg44136.html
nginx: https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
nginx: https://github.com/nginx/nginx/commit/6ceef192e7af1c507826ac38a2d43f08bf265fb9
nghttp2: https://github.com/nghttp2/nghttp2/pull/1961
nghttp2: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg
nghttp2: https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 (v1.57.0)
jetty9: https://github.com/eclipse/jetty.project/issues/10679
jetty9: https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.53.v20231009
https://www.openwall.com/lists/oss-security/2023/10/10/6
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
Go uses CVE-2023-39325 to track this
netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
netty: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 (netty-4.1.100.Final)
varnish: https://varnish-cache.org/security/VSV00013.html
varnish: https://github.com/varnishcache/varnish-cache/issues/3996
https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2023-44487
Unaffected implementations not requiring code changes:
- rust-hyper: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
- apache2: https://chaos.social/@icing/111210915918780532
- lighttpd: https://www.openwall.com/lists/oss-security/2023/10/13/9
[stretch] - dnsdist <not-affected> (HTTP/2 support was added later)
[stretch] - haproxy <not-affected> (HTTP/2 support added in 1.8)
[jessie] - haproxy <not-affected> (HTTP/2 support added in 1.8)
[jessie] - jetty8 <not-affected> (HTTP/2 support was added later)
[stretch] - jetty9 <not-affected> (HTTP/2 support was added later)
[stretch] - netty <ignored> (Fix requires a complete overhaul of the codec-http2 module)
[jessie] - netty <not-affected> (HTTP/2 support was added later)
- netty-3.9 <not-affected> (HTTP/2 support was added later)
- tomcat7 <not-affected> (HTTP/2 support was added later)
[jessie] - tomcat8 <not-affected> (HTTP/2 support was added later)
[stretch] - varnish <ignored> (Experimental HTTP/2 support is not recommended)
[jessie] - varnish <not-affected> (HTTP/2 support was added later)