Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 10 Oct 2023 11:40:06 -0700
From: Alan Coopersmith <>
Subject: CVE-2023-44487: HTTP/2 Rapid Reset attack against many

[I've seen multiple news articles & blogs in the wake of the coordinated
  disclosure today, but no postings here yet, so lets start fixing that.]

Google, Cloudflare, AWS, and others released details today of a protocol-level
issue in HTTP/2 being exploited in recent months for denial-of-service attacks:

This attack works via the multiplexed streams feature of HTTP/2, in which the
client repeatedly makes a request for a new stream, and then immediately sends
a RST_STREAM frame to cancel them, resulting in the server doing lots of extra
work to set up and tear down the streams, while not hitting any server-side
limit on a maximum number of active streams per connection.

CVE-2023-44487 was issued to track this issue across implementations:

A script to check for affected implemenations has been posted at:

Information I've found so far on open source implementations (most via the
current listings in the CVE) include:

- Apache httpd:

- caddy:

- envoy:

- golang:

- h2o:

- haproxy:

- hyper:

- jetty:

- netty:

- nghttp2:

- nginx:

- nodejs:

- proxygen:

- swift-nio-http2:

- tomcat:

         -Alan Coopersmith-       
          Oracle Solaris Engineering -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.