Is Automic Workload Automation (v12.3 / v21) vulnerable to the Zero Day HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 ?
Release : 12.3 / v21
Information regarding this vulnerability is here: https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
HTTP/2 does not require TLS/encryption, however, all of the major client implementations (Chrome, Firefox, Edge, Safari, Opera, Internet Explorer) have stated that they will only support HTTP/2 over TLS.
Version 12.3.x is NOT affected by this vulnerability at all.
For version 21 (21.0.0 through 21.0.8)
If you use/deploy AWI with Tomcat, http/2 is NOT enabled by default as this is controlled by the Apahe Tomcat server.xml.
JCP, REST API, TLS Gateway, and Analytics do not enable http/2 in the code and are NOT affected.
If you use/deploy AWI with Jetty, http/2 IS enabled by default.
To mitigate the issues with AWI Jetty, the following options are available:
Version 21.0.9 - AWI with Jetty, http/2 is NO LONGER enabled by default, does not require the https.version=1 setting in configuration.properties, and is NOT affected by this at all.
In Tomcat, HTTP/2 is only enabled if you use the following connector in the server.xml file:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
certificateChainFile="conf/localhost-rsa-chain.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
The key is the ---- <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
Don't use this connector when enabling SSL/TLS for Tomcat.