VMware NSX Advanced Load Balancer Response to CVE-2023-44487 - HTTP/2 protocol denial-of-service vulnerability
search cancel

VMware NSX Advanced Load Balancer Response to CVE-2023-44487 - HTTP/2 protocol denial-of-service vulnerability

book

Article ID: 332385

calendar_today

Updated On:

Products

VMware

Issue/Introduction

A denial-of-service vulnerability in the HTTP/2 protocol was recently disclosed which could result in resource consumption of a vulnerable target.

Resolution

Quick Links:

 

Is Avi affected by the CVE-2023-44487?

Avi as a Load Balancer supports connections via HTTP2.  This is an option on our Virtual Services which can be enabled.
Once enabled, Avi can be attacked via the CVE-2023-44487, but has by default the following protections in place.

 

What are the default protections within Avi against CVE-2023-44487?

Avi is protected from HTTP/2 attack by configuring the following parameters in the HTTP Application profile of the Virtual Service:

  1. max_http2_concurrent_streams_per_connection

  • Maximum number of concurrent streams over a client side HTTP/2 connection.

  • Default Value: 128

  • The recommended setting is to keep it at 128 concurrent streams per connection.

  1. max_http2_requests_per_connection

  • Maximum number of requests over a client side HTTP/2 connection.

  • Default Value: 1000

  • The recommended setting is to keep it at 1000 requests.

NSX-ALB Avi recommended configuration regarding CVE-2023-44487.

 

Documentation of the configuration

To learn more about the configuration of these settings, see HTTP/2 Support on NSX Advanced Load Balancer.


Powered by Wolken Software