CISA KEV 정보
| 취약점명 | HTTP/2 Rapid Reset Attack Vulnerability |
|---|---|
| 설명 | HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS). |
| 조치사항 | Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-400 |
| 등록일 (KEV) | 2023-10-10 |
| 조치 기한 | 2023-10-31 |
| 추가 참고 | This vulnerability affects a common open-source component, third-party library, or protocol used by different products. For more information, please see: HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487 | CISA: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487; https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/; https://nvd.nist.gov/vuln/detail/CVE-2023-44487 |
NVD 상세 정보
CVSS v3.1: 7.5 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H설명: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CWE: CWE-400
참조
- http://www.openwall.com/lists/oss-security/2023/10/10/6 [Mailing List, Third Party Advisory]
- http://www.openwall.com/lists/oss-security/2023/10/10/7 [Mailing List, Third Party Advisory]
- http://www.openwall.com/lists/oss-security/2023/10/13/4 [Mailing List, Third Party Advisory]
- http://www.openwall.com/lists/oss-security/2023/10/13/9 [Mailing List, Third Party Advisory]
- http://www.openwall.com/lists/oss-security/2023/10/18/4 [Mailing List, Third Party Advisory]
- http://www.openwall.com/lists/oss-security/2023/10/18/8 [Mailing List, Third Party Advisory]
- http://www.openwall.com/lists/oss-security/2023/10/19/6 [Mailing List, Third Party Advisory]
- http://www.openwall.com/lists/oss-security/2023/10/20/8 [Mailing List, Third Party Advisory]
- https://access.redhat.com/security/cve/cve-2023-44487 [Vendor Advisory]
- https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size/ [Press/Media Coverage, Third Party Advisory]
- https://aws.amazon.com/security/security-bulletins/AWS-2023-011/ [Third Party Advisory]
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ [Technical Description, Vendor Advisory]
- https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/ [Third Party Advisory, Vendor Advisory]
- https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/ [Vendor Advisory]
- https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack [Press/Media Coverage, Third Party Advisory]
- ... 외 272건
This product uses the NVD API but is not endorsed or certified by the NVD.