HTTP/2 (H2) vulnerability CVE-2023-44487, “rapid reset” attack permits a novel denial of service scenario where a high volume of coordinated HTTP/2 request cancellations can quickly reset many HTTP/2 streams, exhausting server resources and potentially causing outages.

Edge SWG (ProxySG, ASG)

SGOS versions prior to 7.x (i.e. 6.7.x) are not affected as HTTP/2 is not natively supported. Customers running 7.x versions of SGOS are encouraged to upgrade 7.3.15.1 or higher versions. Also SGOS 7.3.13.5 (released October 18, 2023) includes the fix for this vulnerability. 

SGOS version 7.3.15.1 (released July 17, 2023) limits the number of concurrent streams over HTTP/2 client connections (even if the streams are reset), mitigating the rapid reset attack. Edge SWG customers that are running version 7.3.15.1 (or later) benefit from this mitigation.

Additionally SGOS 7.3.13.5 (released October 18, 2023) and 7.3.14.4 (released October 26, 2023) has been released with a fix for this vulnerability.

SGOS version 7.4.1.1 is vulnerable In a forward proxy deployment, the proxy will limit the number of stream requests which would reduce the impact of any compromised hosts.  In a reverse proxy deployment, the proxy would similarly function to protect any HTTP/2 servers that were the target of the attack.

SGOS version 7.4.1.2 (released October 27, 2023)  has been released with a fix for this vulnerability.

Workaround

For vulnerable versions, the attack can be prevented by disabling HTTP/2 via policy using CPL:

<proxy>
http2.client.accept(no) http2.server.request(no)

Cloud SWG

Cloud SWG (formerly WSS) does provide the same CPL to disable HTTP/2 for UPE managed tenants but currently runs SGOS 7.3.15.1, which limits the concurrent streams.