• Categories
  • Recent
  • Popular
Collapse

GoFAST - HTTP/2 Rapid Reset Attack (CVE-2023-44487)

Scheduled Pinned Locked Moved Technical subjects
1 Posts 1 Posters 121 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B Offline
    B Offline
    bcrestani
    wrote on last edited by
    #1

    On October 10, 2023, a vulnerability in the HTTP/2 protocol was discovered, allowing a Denial of Service attack. This vulnerability has been classified with a CVSS 3.x score of 7.5 (HIGH). (https://nvd.nist.gov/vuln/detail/CVE-2023-44487)

    This raises the question of the impact of this vulnerability on GoFAST. Initially, we use the HTTP/2 protocol for the platform's web services. However, we are not affected by this attack, as the values of the "keepalive_requests" and "http2_max_concurrent_streams" parameters are the default values in our web service configuration. You can read the nginx article on this subject here: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

    We will continue to monitor this vulnerability and, if necessary, add the "limit_conn" and "limit_req" parameters in the next version of GoFAST.

    1 Reply Last reply
    0

  • Login
  • Don't have an account? Register
  • Login or register to search.
  • First post
    Last post
0
  • Categories
  • Recent
  • Popular
  • Login
  • Don't have an account? Register
  • Login or register to search.