HTTP/2 (H2) vulnerability CVE-2023-44487, “rapid reset” attack permits a novel denial of service scenario where a high volume of coordinated HTTP/2 request cancellations can quickly reset many HTTP/2 streams, exhausting server resources and potentially causing outages.

Is DX Unified Infrastructure Management (DX UIM / Nimsoft) affected by this vulnerability?

Release : 20.4

For apache tomcat 9.x series, this vulnerability affects the versions between 9.0.0-M1 to 9.0.80.

As of UIM/OC 20.4 CU9, the latest version of the wasp probe is bundled with apache tomcat 9.0.76 which is known to be impacted; however it affects the HTTP/2 protocol and UIM has implemented HTTP/1.1 only so the vulnerability cannot be exploited.

Apache Tomcat 9.0.81 and above has the fix for this vulnerability. We will be updating the wasp probe with the latest version of tomcat to remediate the vulnerability.

This KB will be updated further when an ETA is available - right now the development team is actively working on this.