cve/2023/CVE-2023-44487.md

CVE-2023-44487

Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

POC

Reference

• https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
• https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
• https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
• https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
• https://github.com/Azure/AKS/issues/3947
• https://github.com/Azure/AKS/issues/3947
• https://github.com/advisories/GHSA-qppj-fm5r-hxr3
• https://github.com/advisories/GHSA-qppj-fm5r-hxr3
• https://github.com/akka/akka-http/issues/4323
• https://github.com/akka/akka-http/issues/4323
• https://github.com/alibaba/tengine/issues/1872
• https://github.com/alibaba/tengine/issues/1872
• https://github.com/apache/apisix/issues/10320
• https://github.com/apache/apisix/issues/10320
• https://github.com/apache/httpd-site/pull/10
• https://github.com/apache/httpd-site/pull/10
• https://github.com/apache/trafficserver/pull/10564
• https://github.com/apache/trafficserver/pull/10564
• https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
• https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487
• https://github.com/caddyserver/caddy/issues/5877
• https://github.com/caddyserver/caddy/issues/5877
• https://github.com/eclipse/jetty.project/issues/10679
• https://github.com/eclipse/jetty.project/issues/10679
• https://github.com/envoyproxy/envoy/pull/30055
• https://github.com/envoyproxy/envoy/pull/30055
• https://github.com/etcd-io/etcd/issues/16740
• https://github.com/etcd-io/etcd/issues/16740
• https://github.com/facebook/proxygen/pull/466
• https://github.com/facebook/proxygen/pull/466
• https://github.com/golang/go/issues/63417
• https://github.com/golang/go/issues/63417
• https://github.com/grpc/grpc-go/pull/6703
• https://github.com/grpc/grpc-go/pull/6703
• https://github.com/h2o/h2o/pull/3291
• https://github.com/h2o/h2o/pull/3291
• https://github.com/haproxy/haproxy/issues/2312
• https://github.com/haproxy/haproxy/issues/2312
• https://github.com/kazu-yamamoto/http2/issues/93
• https://github.com/kazu-yamamoto/http2/issues/93
• https://github.com/kubernetes/kubernetes/pull/121120
• https://github.com/kubernetes/kubernetes/pull/121120
• https://github.com/line/armeria/pull/5232
• https://github.com/line/armeria/pull/5232
• https://github.com/micrictor/http2-rst-stream
• https://github.com/micrictor/http2-rst-stream
• https://github.com/microsoft/CBL-Mariner/pull/6381
• https://github.com/microsoft/CBL-Mariner/pull/6381
• https://github.com/nghttp2/nghttp2/pull/1961
• https://github.com/nghttp2/nghttp2/pull/1961
• https://github.com/ninenines/cowboy/issues/1615
• https://github.com/ninenines/cowboy/issues/1615
• https://github.com/nodejs/node/pull/50121
• https://github.com/nodejs/node/pull/50121
• https://github.com/openresty/openresty/issues/930
• https://github.com/openresty/openresty/issues/930
• https://github.com/opensearch-project/data-prepper/issues/3474
• https://github.com/opensearch-project/data-prepper/issues/3474
• https://github.com/projectcontour/contour/pull/5826
• https://github.com/projectcontour/contour/pull/5826
• https://github.com/tempesta-tech/tempesta/issues/1986
• https://github.com/tempesta-tech/tempesta/issues/1986
• https://github.com/varnishcache/varnish-cache/issues/3996
• https://github.com/varnishcache/varnish-cache/issues/3996
• https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
• https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event

Github

• https://github.com/AlexRogalskiy/AlexRogalskiy
• https://github.com/Austnez/tools
• https://github.com/ByteHackr/CVE-2023-44487
• https://github.com/CVEDB/awesome-cve-repo
• https://github.com/CVEDB/top
• https://github.com/Dzmitry-Basiachenka/dist-foreign-aliakh
• https://github.com/GhostTroops/TOP
• https://github.com/Millen93/HTTP-2.0-Rapid-Reset-Attack-Laboratory
• https://github.com/Ostorlab/KEV
• https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
• https://github.com/ReToCode/golang-CVE-2023-44487
• https://github.com/TYuan0816/cve-2023-44487
• https://github.com/XiangTrong/http2-rapid-client
• https://github.com/ZonghaoLi777/githubTrending
• https://github.com/aerospike-managed-cloud-services/flb-output-gcs
• https://github.com/alex-grandson/docker-python-example
• https://github.com/aneasystone/github-trending
• https://github.com/bartvoet/assignment-ehb-security-review-adamlenez
• https://github.com/bcdannyboy/CVE-2023-44487
• https://github.com/danielkec/rapid-reset
• https://github.com/dygma0/dygma0
• https://github.com/fankun99/baicuan
• https://github.com/fkie-cad/nvd-json-data-feeds
• https://github.com/ge-wijayanto/http2-rapid-reset-validator
• https://github.com/giterlizzi/secdb-feeds
• https://github.com/h7ml/h7ml
• https://github.com/hktalent/TOP
• https://github.com/imabee101/CVE-2023-44487
• https://github.com/irgoncalves/awesome-security-articles
• https://github.com/jafshare/GithubTrending
• https://github.com/johe123qwe/github-trending
• https://github.com/jrg1a/tools
• https://github.com/juev/links
• https://github.com/knabben/dos-poc
• https://github.com/kobutton/redhat-cve-fix-checker
• https://github.com/kyverno/policy-reporter-plugins
• https://github.com/lucasrod16/exploitlens
• https://github.com/m00dy/r4p1d-r3s3t
• https://github.com/malinkamedok/devops_sandbox
• https://github.com/micrictor/http2-rst-stream
• https://github.com/ndrscodes/http2-rst-stream-attacker
• https://github.com/nomi-sec/PoC-in-GitHub
• https://github.com/nvdg2/http2RapidReset
• https://github.com/nxenon/cve-2023-44487
• https://github.com/oscerd/nice-cve-poc
• https://github.com/pabloec20/rapidreset
• https://github.com/ramonzx6/http-script-json
• https://github.com/rxerium/stars
• https://github.com/seal-community/patches
• https://github.com/secengjeff/rapidresetclient
• https://github.com/sigridou/CVE-2023-44487-
• https://github.com/studiogangster/CVE-2023-44487
• https://github.com/tanjiti/sec_profile
• https://github.com/terrorist/HTTP-2-Rapid-Reset-Client
• https://github.com/testing-felickz/docker-scout-demo
• https://github.com/wolfc/snakeinmyboot
• https://github.com/zengzzzzz/golang-trending-archive
• https://github.com/zhaohuabing/cve-agent
• https://github.com/zhaoolee/garss