Zero Day HTTP/2 Rapid Reset Vulnerability CVE-2023-44487
search cancel

Zero Day HTTP/2 Rapid Reset Vulnerability CVE-2023-44487

book

Article ID: 275351

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

Is Automic Workload Automation (v12.3 / v21) vulnerable to the Zero Day HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 ?

Environment

Release : 12.3 / v21

Cause

Information regarding this vulnerability is here: https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/

HTTP/2 does not require TLS/encryption, however, all of the major client implementations (Chrome, Firefox, Edge, Safari, Opera, Internet Explorer) have stated that they will only support HTTP/2 over TLS.

 

Resolution

Version 12.3.x is NOT affected by this vulnerability at all. 

For version 21 (21.0.0 through 21.0.8)

If you use/deploy AWI with Tomcat, http/2 is NOT enabled by default as this is controlled by the Apahe Tomcat server.xml.
JCP, REST API, TLS Gateway, and Analytics do not enable http/2 in the code and are NOT affected.

If you use/deploy AWI with Jetty, http/2 IS enabled by default.

To mitigate the issues with AWI Jetty, the following options are available:

  1. HTTP/2 is only a feature on TLS. so do not activate HTTPS/TLS, and use AWI with non-TLS/SSL HTTP. 
  2. Upgrade to 21.0.8 (at least) where we have a configuration.properties setting https.version=1 to make jetty use https+http1. In this way, AWI can use HTTPS and be safe from this vulnerability.
  3. Put AWI behind a proxy, and disable HTTP/2 there.

Version 21.0.9 - AWI with Jetty, http/2 is NO LONGER enabled by default, does not require the https.version=1 setting in configuration.properties, and is NOT affected by this at all.

 

Additional Information

In Tomcat, HTTP/2 is only enabled if you use the following connector in the server.xml file:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig>
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         certificateFile="conf/localhost-rsa-cert.pem"
                         certificateChainFile="conf/localhost-rsa-chain.pem"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

The key is the ----   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />

Don't use this connector when enabling SSL/TLS for Tomcat.