CVE-2023-44487 - HTTP/2 Rapid Reset Attack
Article ID: 275049
Updated On:
Products
Issue/Introduction
A new High severity vulnerability CVE-2023-44487 has been identified with HTTP/2 protocol
which makes the service vulnerable to Denial of Service Attacks (DDoS).
Who are susceptible to this vulnerability?
Any HTTP web service/program exposed to the internet with HTTP/2 protocol enabled is
susceptible to this vulnerability.
Environment
Release 23.3.2
Resolution
IIS Server on NFA Console:
Disable the HTTP/2 and fallback to HTTP/1. Below are step-by-step guide based on Microsoft’s
recommendations:
1. Open Registry Editor: Click Start, click Run, type Regedit in the Open box, and click OK.
2. Locate Subkey: Navigate to HKey_Local_Machine\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
3. Create two new DWORDS, by right clicking and choosing DWORD:
EnableHttp2Tls
and
EnableHttp2Cleartext
4. Edit DWORD Values: Set DWORD type values EnableHttp2TIs and EnableHttp2Cleartext to 0 to
disable HTTP/2 or 1 to enable it.
5. Restart: Exit the Registry Editor and restart your computer.
Feedback
