GoFAST - HTTP/2 Rapid Reset Attack (CVE-2023-44487)
On October 10, 2023, a vulnerability in the HTTP/2 protocol was discovered, allowing a Denial of Service attack. This vulnerability has been classified with a CVSS 3.x score of 7.5 (HIGH). (https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
This raises the question of the impact of this vulnerability on GoFAST. Initially, we use the HTTP/2 protocol for the platform's web services. However, we are not affected by this attack, as the values of the "keepalive_requests" and "http2_max_concurrent_streams" parameters are the default values in our web service configuration. You can read the nginx article on this subject here: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
We will continue to monitor this vulnerability and, if necessary, add the "limit_conn" and "limit_req" parameters in the next version of GoFAST.