We have received an urgent zero day vulnerability related to HTTP/2 attack. As SSO is internet facing, we would like to check if Broadcom released any guidelines for SSO to mitigate such? Referring to Microsoft provide suggestion in 2nd URL, would it have any impact on our service?
Below are few URL for your reference:
1.
2.
CVE-2023-44487 - Security Update Guide - Microsoft - MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
New 'HTTP/2 Rapid Reset' zero-day attack breaks DDoS records (bleepingcomputer.com)
Release : 12.8.06
HTTP2 support is dependant on the web server.
For Symantec Access Gateway, the httpd is not configured to support http2 by default. So, the CVE for HTTP2 is not a concern.
For other web servers (Apache, IIS, etc.), please check with the vendor, and follow their instructions to mitigate the problem.
For Apache web server, it needs to be configured to support HTTP2, please refer to Apache document,
https://httpd.apache.org/docs/2.4/howto/http2.html
For IIS 10.0 or above, it supports http2 by default,
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis