CVE-2023-44487 - HTTP/2 Rapid Reset Attack
search cancel

CVE-2023-44487 - HTTP/2 Rapid Reset Attack

book

Article ID: 274953

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

We have received an urgent zero day vulnerability related to HTTP/2 attack. As SSO is internet facing, we would like to check if Broadcom released any guidelines for SSO to mitigate such? Referring to Microsoft provide suggestion in 2nd URL, would it have any impact on our service?

 

Below are few URL for your reference:

1.

Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2 | MSRC Blog | Microsoft Security Response Center

2.

CVE-2023-44487 - Security Update Guide - Microsoft - MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack

New 'HTTP/2 Rapid Reset' zero-day attack breaks DDoS records (bleepingcomputer.com)

Environment

Release : 12.8.06

Resolution

HTTP2 support is dependant on the web server.

For Symantec Access Gateway, the httpd is not configured to support http2 by default. So, the CVE for HTTP2 is not a concern.

 

For other web servers (Apache, IIS, etc.), please check with the vendor, and follow their instructions to mitigate the problem.

 

Additional Information

For Apache web server, it needs to be configured to support HTTP2, please refer to Apache document,

https://httpd.apache.org/docs/2.4/howto/http2.html

 

For IIS 10.0 or above, it supports http2 by default,

https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis