HTTP/2 (H2) vulnerability CVE-2023-44487, “rapid reset” attack permits a novel denial of service scenario where a high volume of coordinated HTTP/2 request cancellations can quickly reset many HTTP/2 streams, exhausting server resources and potentially causing outages.

Severity: High

Impacted: 4.9, 4.10

Third Party Vulnerability

Based on our initial review, Test Data Manager is affected by this vulnerability through tomcat-9.0.75 library. 

However, this vulnerability cannot be exploited because TDM doesn’t support HTTP/2.

Apache Tomcat 9.0.81 and above has the fix for this vulnerability. 

A new version of TDM Masking image 4.10.226.0 that contains tomcat 9.0.82 is available at : 

https://ftp.broadcom.com/user/downloads/pub/TDM/TDMWeb/TDMWeb-4.10.226.0.zip
https://ftp.broadcom.com/user/downloads/pub/TDM/TDM_Portal_docker/TDM_Portal_docker-4.10.226.0.tgz