We have received an urgent zero day vulnerability related to HTTP/2 attack. As SSO is internet facing, we would like to check if Broadcom released any guidelines for SSO to mitigate such? Referring to Microsoft provide suggestion in 2^nd URL, would it have any impact on our service?

Below are few URL for your reference:

1.

Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2 | MSRC Blog | Microsoft Security Response Center

2.

CVE-2023-44487 - Security Update Guide - Microsoft - MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack

New 'HTTP/2 Rapid Reset' zero-day attack breaks DDoS records (bleepingcomputer.com)

Release : 12.8.06

HTTP2 support is dependant on the web server.

For Symantec Access Gateway, the httpd is not configured to support http2 by default. So, the CVE for HTTP2 is not a concern.

For other web servers (Apache, IIS, etc.), please check with the vendor, and follow their instructions to mitigate the problem.

For Apache web server, it needs to be configured to support HTTP2, please refer to Apache document,

https://httpd.apache.org/docs/2.4/howto/http2.html

For IIS 10.0 or above, it supports http2 by default,

https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis