Zero Day HTTP/2 Rapid Reset Vulnerability CVE-2023-44487
search cancel

Zero Day HTTP/2 Rapid Reset Vulnerability CVE-2023-44487


Article ID: 275351


Updated On:


CA Automic Workload Automation - Automation Engine


Is Automic Workload Automation (v12.3 / v21) vulnerable to the Zero Day HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 ?


Release : 12.3 / v21


Information regarding this vulnerability is here:

HTTP/2 does not require TLS/encryption, however, all of the major client implementations (Chrome, Firefox, Edge, Safari, Opera, Internet Explorer) have stated that they will only support HTTP/2 over TLS.



Version 12.3.x is NOT affected by this vulnerability at all. 

For version 21 (21.0.0 through 21.0.8)

If you use/deploy AWI with Tomcat, http/2 is NOT enabled by default as this is controlled by the Apahe Tomcat server.xml.
JCP, REST API, TLS Gateway, and Analytics do not enable http/2 in the code and are NOT affected.

If you use/deploy AWI with Jetty, http/2 IS enabled by default.

To mitigate the issues with AWI Jetty, the following options are available:

  1. HTTP/2 is only a feature on TLS. so do not activate HTTPS/TLS, and use AWI with non-TLS/SSL HTTP. 
  2. Upgrade to 21.0.8 (at least) where we have a setting https.version=1 to make jetty use https+http1. In this way, AWI can use HTTPS and be safe from this vulnerability.
  3. Put AWI behind a proxy, and disable HTTP/2 there.

Version 21.0.9 - AWI with Jetty, http/2 is NO LONGER enabled by default, does not require the https.version=1 setting in, and is NOT affected by this at all.


Additional Information

In Tomcat, HTTP/2 is only enabled if you use the following connector in the server.xml file:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" >
        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
                         type="RSA" />

The key is the ----   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />

Don't use this connector when enabling SSL/TLS for Tomcat.