GHSA-xpw8-rcwv-8f8p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-xpw8-rcwv-8f8p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-xpw8-rcwv-8f8p/GHSA-xpw8-rcwv-8f8p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-xpw8-rcwv-8f8p
- Aliases
-
- BIT-apisix-2023-44487
- BIT-aspnet-core-2023-44487
- BIT-contour-2023-44487
- BIT-dotnet-2023-44487
- BIT-dotnet-sdk-2023-44487
- BIT-envoy-2023-44487
- BIT-golang-2023-44487
- BIT-jenkins-2023-44487
- BIT-kong-2023-44487
- BIT-nginx-2023-44487
- BIT-nginx-ingress-controller-2023-44487
- BIT-node-2023-44487
- BIT-solr-2023-44487
- BIT-tomcat-2023-44487
- BIT-varnish-2023-44487
- CVE-2023-44487
- GHSA-2m7v-gc89-fjqf
- GHSA-qppj-fm5r-hxr3
- GHSA-vx74-f528-fxqg
- Related
- Published
- 2023-10-10T22:22:54Z
- Modified
- 2024-09-11T06:13:29.751532Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack
- Details
-
A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack.
Impact
This is a DDOS attack, any http2 server is affected and so you should update as soon as possible.
Patches
This is patched in version 4.1.100.Final.
Workarounds
A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own
Http2FrameListenerimplementation or anChannelInboundHandlerimplementation (depending which http2 API is used).References
- https://www.cve.org/CVERecord?id=CVE-2023-44487
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
- References
-
- https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3
- https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
- https://nvd.nist.gov/vuln/detail/CVE-2023-44487
- https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61
- https://github.com/netty/netty
- https://www.cve.org/CVERecord?id=CVE-2023-44487
Affected packages
Maven / io.netty:netty-codec-http2
Package
- Name
- io.netty:netty-codec-http2
- View open source insights on deps.dev
- Purl
- pkg:maven/io.netty/netty-codec-http2
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.1.100.Final
Affected versions
4.*
4.1.0.Beta4
4.1.0.Beta5
4.1.0.Beta6
4.1.0.Beta7
4.1.0.Beta8
4.1.0.CR1
4.1.0.CR2
4.1.0.CR3
4.1.0.CR4
4.1.0.CR5
4.1.0.CR6
4.1.0.CR7
4.1.0.Final
4.1.1.Final
4.1.2.Final
4.1.3.Final
4.1.4.Final
4.1.5.Final
4.1.6.Final
4.1.7.Final
4.1.8.Final
4.1.9.Final
4.1.10.Final
4.1.11.Final
4.1.12.Final
4.1.13.Final
4.1.14.Final
4.1.15.Final
4.1.16.Final
4.1.17.Final
4.1.18.Final
4.1.19.Final
4.1.20.Final
4.1.21.Final
4.1.22.Final
4.1.23.Final
4.1.24.Final
4.1.25.Final
4.1.26.Final
4.1.27.Final
4.1.28.Final
4.1.29.Final
4.1.30.Final
4.1.31.Final
4.1.32.Final
4.1.33.Final
4.1.34.Final
4.1.35.Final
4.1.36.Final
4.1.37.Final
4.1.38.Final
4.1.39.Final
4.1.40.Final
4.1.41.Final
4.1.42.Final
4.1.43.Final
4.1.44.Final
4.1.45.Final
4.1.46.Final
4.1.47.Final
4.1.48.Final
4.1.49.Final
4.1.50.Final
4.1.51.Final
4.1.52.Final
4.1.53.Final
4.1.54.Final
4.1.55.Final
4.1.56.Final
4.1.57.Final
4.1.58.Final
4.1.59.Final
4.1.60.Final
4.1.61.Final
4.1.62.Final
4.1.63.Final
4.1.64.Final
4.1.65.Final
4.1.66.Final
4.1.67.Final
4.1.68.Final
4.1.69.Final
4.1.70.Final
4.1.71.Final
4.1.72.Final
4.1.73.Final
4.1.74.Final
4.1.75.Final
4.1.76.Final
4.1.77.Final
4.1.78.Final
4.1.79.Final
4.1.80.Final
4.1.81.Final
4.1.82.Final
4.1.83.Final
4.1.84.Final
4.1.85.Final
4.1.86.Final
4.1.87.Final
4.1.88.Final
4.1.89.Final
4.1.90.Final
4.1.91.Final
4.1.92.Final
4.1.93.Final
4.1.94.Final
4.1.95.Final
4.1.96.Final
4.1.97.Final
4.1.98.Final
4.1.99.Final