CVE-2023-44487 - HTTP/2 Rapid Reset Attack
search cancel

CVE-2023-44487 - HTTP/2 Rapid Reset Attack


Article ID: 274953


Updated On:




We have received an urgent zero day vulnerability related to HTTP/2 attack. As SSO is internet facing, we would like to check if Broadcom released any guidelines for SSO to mitigate such? Referring to Microsoft provide suggestion in 2nd URL, would it have any impact on our service?


Below are few URL for your reference:


Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2 | MSRC Blog | Microsoft Security Response Center


CVE-2023-44487 - Security Update Guide - Microsoft - MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack

New 'HTTP/2 Rapid Reset' zero-day attack breaks DDoS records (


Release : 12.8.06


HTTP2 support is dependant on the web server.

For Symantec Access Gateway, the httpd is not configured to support http2 by default. So, the CVE for HTTP2 is not a concern.


For other web servers (Apache, IIS, etc.), please check with the vendor, and follow their instructions to mitigate the problem.


Additional Information

For Apache web server, it needs to be configured to support HTTP2, please refer to Apache document,


For IIS 10.0 or above, it supports http2 by default,