Is IT Process Automation vulnerable to HTTP/2 vulnerability CVE-2023-44487

IT Process Automation 4.4

IT Process Automation is vulnerable to CVE-2023-44487

ITPAM 4.4 release has Wildfly version 24, which enables HTTP/2 by default in its configuration.

To disable HTTP/2 in Wildfly, follow the below steps:

1.  Stop the ITPAM service.

2.  Take a backup of the "standalone-full-ha.xml" file located at <ITPAM_Install_Location>\wildfly\standalone\configuration

3.  Open the "standalone-full-ha.xml" file with a text editor and modify the value of "enable-http2" to false. Refer to the below sample:

<http-listener name="default" max-post-size="4194304000" socket-binding="http" redirect-socket="https" enable-http2="false"/>
<https-listener name="https" max-post-size="4194304000" socket-binding="https" security-realm="ApplicationRealm" enabled="${oasis.transport.secure}" enable-http2="false"/>

4. Save the changes to the "standalone-full-ha.xml" file

5.  Restart the ITPAM service