HTTP/2 (H2) vulnerability CVE-2023-44487, “rapid reset” attack permits a novel denial of
service scenario where a high volume of coordinated HTTP/2 request cancellations can
quickly reset many HTTP/2 streams, exhausting server resources and potentially causing
outages.

Are Service Operations Insight 4.2 cumulative updates affected by this vulnerability?

Release: SOI 4.2 CU5

This article is informational.

For Apache Tomcat 9.x series, this vulnerability affects the versions between 9.0.0-M1 to 9.0.80.
As of SOI 4.2 CU5, it is bundled with Apache Tomcat 9.0.76 which is known to be impacted.

However, it affects the HTTP/2 protocol and SOI has implemented HTTP/1.1 only so the
vulnerability cannot be exploited.

This KB will be updated further when an ETA is available - right now the development team is
actively working on this.