Advisory 37

Impact: High

TLP Rating: Clear

HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487

Release Date 12th of October 2023

CERT Vanuatu (CERTVU) and the Office of the Chief Information Officer (OGCIO) provide the following advisory of the above vulnerabilities.

On the 10th of October 2023, CERT Vanuatu received an advisory from its collaborating partner, Cybersecurity Infrastructure Security Agency (CISA) for a denial-of-service (DoS) vulnerability in HTTP/2 protocol. The Vulnerability (CVE-2023-44487), known as Rapid Reset, has been exploited in the wild in August 2023 through to October 2023.

What is it?

The HTTP/2 protocol allows a denial of service (Service resource consumption) because request cancellation can reset many streams quickly as it has been exploited in the wild.

HTTP/2 provides an optimized transport for HTTP semantics. HTTP/2 supports all of the core features of HTTP but aims to be more efficient than HTTP/1.1

Organizations that provide HTTP/2 Services include;

  • Cloudflare
  • Google
  • AWS
  • Microsoft