Uploaded image for project: 'Red Hat Process Automation Manager'
  1. Red Hat Process Automation Manager
  2. RHPAM-4816

[Major Incident] CVE-2023-44487 undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) [rhpam-7]

XMLWordPrintable

    • 2024 Week 7-9 (from Feb 12)

      Security Tracking Issue

      Do not make this issue public.

      Impact: Major Incident
      Reported Date: 09-Oct-2023
      Resolve Bug By: 17-Oct-2023

      In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then.

      Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9kKpDw

      Flaw:

      CVE-2023-44487 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
      https://bugzilla.redhat.com/show_bug.cgi?id=2242803

      The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

            rguimara Roberto Oliveira
            ahanwate1@redhat.com Avinash Hanwate
            Dominik Hanak, Ivo Bek, Jan Rokos, Kris Verlaenen, Marek Novotny, Paramvir Jindal, Roberto Oliveira
            Samuel Kulíšek Samuel Kulíšek
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: