CVE-2023-44487 - HTTP/2 Vulnerability and Clarity
search cancel

CVE-2023-44487 - HTTP/2 Vulnerability and Clarity


Article ID: 274930


Updated On:


Clarity PPM On Premise Clarity PPM SaaS


A new High severity vulnerability CVE-2023-44487 has been identified with HTTP/2 protocol which makes the service vulnerable to Denial of Service Attacks(DDoS). 


Who are susceptible to this vulnerability

Any HTTP web service/program exposed to the internet with HTTP/2 protocol enabled is susceptible to this vulnerability. 


Clarity on SaaS

Not Impacted.


On Premise Clarity Customers

Not Impacted


The HTTP/2 implementation in Tomcat is by default commented out and is not used. 

Clarity implementation also uses the HTTP/1.1 protocol on its connector and doesn't use the HTTP/2 protocol.

Mitigation Strategy in case needed by your organization


  1. Edit $TOMCAT_HOME/conf/server.xml and comment out the connector tag which involves
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
  2. Upgrade Apache Tomcat to 9.0.81 for Clarity versions 15.9.3 and above


The mitigation strategy holds true for Jaspersoft as well.