VMware Security Engineering and Tanzu Application Services engineering have been engaged in evaluating the impact of CVE-2023-44487. We have determined that maliciously designed HTTP/2 requests can cause increased CPU consumption inside of TAS gorouter, up to 5x the resource consumption of a regular request. We have not seen memory impact, process restarts, or connection drops in our tests.

For customers who are running TAS behind a Layer-7 HTTP load balancer, TAS should not be impacted. Your load balancer may also be vulnerable, however, so please follow instructions from that vendor. We've consistently recommended TAS be deployed behind a load balancer in order to offload the cost of TLS termination and end-user connectivity nuances.

HTTP/2 was introduced as a feature and enabled by default starting in version 2.13 of Tanzu Application Service. All versions 2.13 and higher with HTTP/2 enabled are affected: 2.13, 3.0, 4.0, and 5.0.

For customers with exposed gorouters not behind an HTTP load balancer, you can mitigate this concern by turning off HTTP/2 inside of the TAS tile configuration.

Ops Manager > VMware Tanzu Application Service tile > Networking > Enable the HTTP/2 protocol

See documents: Configuring Networking for TAS and Supporting HTTP2,

An apply changes of TAS will be necessary to implement this change. This update will require a deploy of Diego Cell, Gorouter, and Control VM's.

The centralized ingress architecture of TAS and TAS-for-Windows means that other internal application servers should not be directly exposed. Our recommendation to mitigate this CVE is to ensure that gorouter is either protected by a L7 load balancer, only accessible to more trustworthy users, or has HTTP/2 deactivated.

VMware Tanzu engineering is working with the golang community to validate the effectiveness of the upstream fix and possibly improve the solution as needed. VMware policy is that we will not say that the CVE is fully fixed in TAS until we can confirm that the patch is able to mitigate the resource consumption issue.