CVE-2023-44487
Publication date 10 October 2023
Last updated 17 October 2024
Ubuntu priority
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Read the notes from the security team
Why is this CVE high priority?
Listed in CISA Known Exploited Vulnerabilities Catalog
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| dotnet6 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Fixed 6.0.123-0ubuntu1~22.04.1
|
|
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| dotnet7 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Fixed 7.0.112-0ubuntu1~22.04.1
|
|
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| dotnet8 | 24.10 oracular |
Fixed 8.0.100-8.0.0-0ubuntu1
|
| 24.04 LTS noble |
Fixed 8.0.100-8.0.0-0ubuntu1
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| h2o | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| haproxy | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Fixed 1.8.8-1ubuntu0.13+esm3
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Ignored end of standard support | |
| netty | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 1:4.1.48-4+deb11u2build0.22.04.1
|
|
| 20.04 LTS focal |
Fixed 1:4.1.45-1ubuntu0.2
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| nghttp2 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Fixed 1.43.0-1ubuntu0.1
|
|
| 20.04 LTS focal |
Fixed 1.40.0-1ubuntu0.2
|
|
| 18.04 LTS bionic |
Fixed 1.30.0-1ubuntu1+esm2
|
|
| 16.04 LTS xenial |
Fixed 1.7.1-1ubuntu0.1~esm2
|
|
| 14.04 LTS trusty | Ignored end of standard support | |
| nginx | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| nodejs | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty |
Needs evaluation
|
|
| tomcat10 | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Ignored end of standard support | |
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support | |
| tomcat8 | 24.10 oracular | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty | Not in release | |
| tomcat9 | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support | |
| trafficserver | 24.10 oracular |
Needs evaluation
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
mdeslaur
The nginx developers do not consider nginx to be affected by this issue due to the default configuration restricting the number of requests per connectiong (keepalive_requests). They did provide a patch to harden nginx even further in environments where the default are substantially modified. haproxy was fixed in 2018 by the commit listed below Debian's tomcat9 update caused a regression, investigate before fixing tomcat packages.
ccdm94
see https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html for more information on nginx developer's position regarding this CVE.
leosilva
for haproxy xenial/esm-infra there is no source affected
mdeslaur
CVE-2023-39325 is the CVE assigned specifically for golang packages
Patch details
| Package | Patch details |
|---|---|
| haproxy | |
| nghttp2 |
|
| nginx |
|
| tomcat10 |
|
| tomcat9 |
|
| trafficserver |
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-6427-1
- .NET vulnerability
- 10 October 2023
- USN-6427-2
- .NET vulnerability
- 19 October 2023
- USN-6438-1
- .NET vulnerabilities
- 19 October 2023
- USN-6505-1
- nghttp2 vulnerability
- 22 November 2023
- USN-6574-1
- Go vulnerabilities
- 11 January 2024
- USN-6754-1
- nghttp2 vulnerabilities
- 25 April 2024
- USN-6994-1
- Netty vulnerabilities
- 5 September 2024
- USN-7067-1
- HAProxy vulnerability
- 14 October 2024
Other references
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://www.mail-archive.com/[email protected]/msg44134.html
- https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
- https://my.f5.com/manage/s/article/K000137106
- https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
- https://www.mail-archive.com/[email protected]/msg44134.html
- https://devblogs.microsoft.com/dotnet/october-2023-updates/
- https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0
- https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
- https://nodejs.org/en/blog/vulnerability/october-2023-security-releases
- https://www.cve.org/CVERecord?id=CVE-2023-44487
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog