Date: Wed, 18 Oct 2023 16:10:50 -0700 From: Alan Coopersmith <alan.coopersmith@...cle.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations On 10/10/23 11:40, Alan Coopersmith wrote: > Information I've found so far on open source implementations (most via the > current listings in the CVE) include: Some more updates since last week: > - Apache httpd: > https://chaos.social/@icing/111210915918780532 The discussion in https://github.com/apache/httpd-site/pull/10 makes the situation a little murkier. - contour: https://github.com/projectcontour/contour/pull/5850 - grpc-go: https://github.com/grpc/grpc-go/pull/6703 > - haproxy: > https://github.com/haproxy/haproxy/issues/2312 https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487 - http2 [Haskell]: https://github.com/kazu-yamamoto/http2/issues/93 - IETF: https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html - kubernetes: https://github.com/kubernetes/kubernetes/pull/121120 - linkerd: https://linkerd.io/2023/10/12/linkerd-cve-2023-44487/ > - netty: > https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 https://github.com/advisories/GHSA-xpw8-rcwv-8f8p https://netty.io/news/2023/10/10/4-1-100-Final.html - varnish https://github.com/varnishcache/varnish-cache/issues/3996 Also,https://mstdn.social/@jschauma/111252863550361935 points out that the Rust h2 crate seems to have announced a very similar issue under a different CVE id back in April: https://rustsec.org/advisories/RUSTSEC-2023-0034.html https://github.com/advisories/GHSA-f8vr-r385-rh5r and a followup post notes further similarities to Netflix's CVE-2019-9514 “Reset Flood” from https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md except in that case the RST_STREAM seem to have been sent from the server, not the client side. -- -Alan Coopersmith- alan.coopersmith@...cle.com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.