A new High severity vulnerability CVE-2023-44487 has been identified with HTTP/2 protocol which makes the service vulnerable to Denial of Service Attacks(DDoS). 

Who are susceptible to this vulnerability

Any HTTP web service/program exposed to the internet with HTTP/2 protocol enabled is susceptible to this vulnerability. 

Clarity on SaaS

Not Impacted.

On Premise Clarity Customers

Not Impacted. 

The HTTP/2 implementation in Tomcat is by default commented out and is not used. 

Clarity implementation also uses the HTTP/1.1 protocol on its connector and doesn't use the HTTP/2 protocol.

Mitigation Strategy in case needed by your organization

1. Edit $TOMCAT_HOME/conf/server.xml and comment out the connector tag which involves
   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
   OR
2. Upgrade Apache Tomcat to 9.0.81 for Clarity versions 15.9.3 and above

The mitigation strategy holds true for Jaspersoft as well.