HTTP/2 Vulnerability (CVE-2023-44487)
search cancel

HTTP/2 Vulnerability (CVE-2023-44487)

book

Article ID: 275012

calendar_today

Updated On:

Products

CA Service Catalog CA Service Desk Manager CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager CA Business Service Insight

Issue/Introduction

Is CA Service Management vulnerable to HTTP/2 vulnerability CVE-2023-44487

Environment

CA Service Management 17.3 and 17.4

Resolution

CA Service Desk Manager is vulnerable to CVE-2023-44487

Apache Tomcat 9.0.81 and above has the fix for this vulnerability.  Follow these instructions to upgrade Apache Tomcat used by CA Service Desk Manager

CA Service Catalog is vulnerable to CVE-2023-44487

Apache Tomcat 9.0.81 and above has the fix for this vulnerability.  Follow these instructions.

CA IT Asset Manager is vulnerable to CVE-2023-44487

HTTP/2 is supported and enabled by default with IIS 10 and above. This vulnerability does NOT impact customers who use IIS version below 10. 

Immediate remediation: Disable HTTP/2.0 on IIS 10

Disable the HTTP/2 protocol on the CA IT Asset Manager Web server(s) and Application server (s) by using the Registry Editor

Note: Using Registry Editor incorrectly can cause serious problems that may require to reinstall the Operating System. Microsoft nor Broadcom cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved so use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic from the Registry Editor 

  1. Click Start-> Run and type Regedit in the Open box and then click OK.
  2. Locate and then click the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3. Create or set DWORD type values EnableHttp2Tls and EnableHttp2Cleartext to one of the following:
    Set to 0 to disable HTTP/2
    Set to 1 to enable HTTP/2
  4. Exit Registry Editor
  5. Restart the server(s)

Long term remediation: This DDoS attack, known as ‘HTTP/2 Rapid Reset’, leverages a flaw in the implementation of HTTP/2. Microsoft promptly created mitigations for IIS (HTTP.sys), .NET (Kestrel) and Windows, which were part of Microsoft Security Updates released on October 10th, 2023. Microsoft recommends to apply these security updates to provide mitigations against this attack.

The above remediation is per the Microsoft Security Advisory 

Tomcat upgrade for CA IT Asset Manager Common Administration Framework (CAF):

CA Business Service Insights is NOT vulnerable to CVE-2023-44487