{"uuid": "7ef549dc-4fb5-4c63-a80e-e6b56edbf247", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-vx74-f528-fxqg", "type": "seen", "source": "https://gist.github.com/ishideo/2ef9371157b4cfc12ab0e8d4afc0847b", "content": "# Introduction\n\nThis Gist aims to centralise the most relevant public sources of information related to the [HTTP/2](https://datatracker.ietf.org/doc/html/rfc7540) Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.\n\nPlease help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.\n\n# References\n\n- [CVE-2023-44487](https://cvepremium.circl.lu/cve/CVE-2023-44487), CIRCL CVE Search\n- [How AWS protects customers from DDoS events](https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/), AWS\n- [How it works: The novel HTTP/2 \u2018Rapid Reset\u2019 DDoS attack](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack), Google\n- [HTTP/2 Rapid Reset: deconstructing the record-breaking attack](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/), Cloudflare\n- [Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2](https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/), Microsoft \n- Potential mention of a [similar issue in 2018 concerning HAproxy](https://www.mail-archive.com/haproxy@formilux.org/msg44134.html)\n- [RFC7540 - Hypertext Transfer Protocol Version 2 (HTTP/2)](https://datatracker.ietf.org/doc/html/rfc7540)\n- [Security Advisory 2023-074 HTTP/2 Rapid Reset DDoS Vulnerability](https://www.cert.europa.eu/static/SecurityAdvisories/2023/CERT-EU-SA2023-074.pdf), CERT-EU\n- [HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487), CISA\n- [Using HTTP/3 Stream Limits in HTTP/2](https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html) - IETF draft to backport the HTTP/3 steam limits in HTTP/2\n\n# Vendor advisories and statements\n\n- [Apache Tomcat](https://github.com/apache/tomcat/commit/9cdfe25bad707f34b3e5da2994f3f1952a163c3e) - Fixed in 8.5.94\n- [AWS](https://aws.amazon.com/security/security-bulletins/AWS-2023-011/)\n- [F5](https://www.f5.com/company/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products)\n- [Golang](https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo)\n- [HAPROXY](https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487) - HAProxy is not affected by the HTTP/2 Rapid Reset Attack\n- [Kong](https://konghq.com/blog/product-releases/novel-http2-rapid-reset-ddos-vulnerability-update)\n- [Microsoft IIS](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487)\n- [Microsoft MsQuic](https://github.com/microsoft/msquic/releases/tag/v2.2.3) - Fixed in 2.2.3\n- [Netscaler](https://www.netscaler.com/blog/news/how-to-mitigate-the-http-2-rapid-reset-vulnerability-on-netscaler/)\n- [Nginx](https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/)\n- [nghttp2 library](https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg) - Fixed in 1.57.0\n\n# Testing if HTTP/2 is enabled\n\n## OpenSSL\n\n~~~shell\necho 1 | openssl s_client -alpn h2 -connect google.com:443 -status 2>&1  | grep \"ALPN\"\n~~~\n\n## Nmap\n\n~~~shell\nnmap -p 443 --script=tls-nextprotoneg www.google.com\n~~~\n\n## curl\n\n~~~shell\ncurl -Is --http2-prior-knowledge https://example.com/| head -1\n~~~\n# Testing if it's vulnerable (use at your own risk)\n\n- [Basic vulnerability scanning tool to see if web servers may be vulnerable to CVE-2023-44487](https://github.com/bcdannyboy/CVE-2023-44487)\n- [Rapid Reset Client is a tool for testing mitigations and exposure to CVE-2023-44487 (Rapid Reset DDoS attack vector)](https://github.com/secengjeff/rapidresetclient)\n\n# Potential remediation\n\n### NGINX \n\n## can be configured to mitigate the vulnerability\n\n- Disabling HTTP/2 in NGINX is not necessary. Simply ensure you have configured:\n\n  -  `keepalive_requests` should be kept at the default setting of 1000 requests\n  -  `http2_max_concurrent_streams` should be kept at the default setting of 128 streams\n  -  `limit_conn` and `limit_req` should be set \"with a reasonable setting balancing application performance and security\"\n\n## If you want to remove `http2` support\n\n- Remove reference to `http2` in the listening part\n\n### DDoS protection / CDNs\n\nWeb apps that are behind the following DDoS protection providers / CDNs should not be impacted:\n\n- AWS\n- Cloudflare\n- Google Cloud\n- Microsoft Azure\n", "creation_timestamp": "2026-06-09T03:35:55.000000Z"}