oss-sec mailing list archives
Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
From: Steffen Nurpmeso <steffen () sdaoden eu>
Date: Fri, 13 Oct 2023 19:32:28 +0200
Jonathan Wright wrote in <CAKe4=-L2udnhRQ7EVOMihrExiYUVoor3E0+FbNxvZ8iB=pyQ1w () mail gmail com>: [i resort a bit] |On Tue, Oct 10, 2023 at 2:23 PM Moritz Muehlenhoff <jmm () inutil org> wrote: |> On Tue, Oct 10, 2023 at 11:40:06AM -0700, Alan Coopersmith wrote: |>> Information I've found so far on open source implementations (most via |> the |>> current listings in the CVE) include: |> |> Apache Trafficserver is also affected: |> https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q |OpenLitespeed is not impacted: |https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/ It did not really surprise me that Glenn Strauss, the wonderful developer of the lighttpd that i use for eight years, had to go like this (i hope he does not mind i quote #lighttpd here): ... 01:45 < gps> [..]No, I did not have prior knowledge. ... 02:20 < gps> Confirmed: while all web servers implementing HTTP/2 are exposed to the attack in CVE-2023-44487, the way each web server software processes HTTP/2 affects the size of the impact of the attack. With lighttpd, the impact is largely limited to the CPU usage parsing the HTTP/2 HEADERS frame, including HPACK decoding. ... 03:58 < gps> To be clear, the attack still causes lighttpd to use more resources, but the amplification of resource commitment is constrained in lighttpd due to the design choices made for lighttpd HTTP/2. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Current thread:
- CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 10)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Moritz Muehlenhoff (Oct 10)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Jonathan Wright (Oct 13)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Steffen Nurpmeso (Oct 13)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Jonathan Wright (Oct 13)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 18)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Alan Coopersmith (Oct 20)
- Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations Moritz Muehlenhoff (Oct 10)