Akka HTTP: CVE-2023-44487: HTTP/2 rapid reset attack
48 views
Skip to first unread message
johan.andren
Oct 16, 2023, 8:08:18 AM10/16/23
to Akka Security
Date: 2023-10-16
CVE ID: CVE-2023-44487
Description of Vulnerability
A widespread HTTP/2 server vulnerability where a client issues rapid HTTP/2 reset frames and thereby sidesteps the protection against unlimited resource consumption built into the protocol.
Severity
The CVSS score of this vulnerability is 7.5, based on vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Impact
The quick sequence of requests can possibly trigger of expensive requests on the server, depending on the application logic built on top of Akka HTTP/2, at a low cost for the abusing client, allowing for denial of service attacks.
Akka HTTP/2 servers running behind a proxy are likely protected by the proxy, given that it has protective measurements against this vulnerability.
Resolution
Starting from Akka HTTP 10.5.3 a reset frame rate limit is present in the HTTP/2 server. The rate limit is configurable through settings akka.http.server.http2.max-resets and akka.http.server.http2.max-resets-interval with a default limit of 400 resets per 10s and connection. Once a connection hits the limit it is closed.
Affected versions
All Akka HTTP versions prior to 10.5.3
CVE ID: CVE-2023-44487
Description of Vulnerability
A widespread HTTP/2 server vulnerability where a client issues rapid HTTP/2 reset frames and thereby sidesteps the protection against unlimited resource consumption built into the protocol.
Severity
The CVSS score of this vulnerability is 7.5, based on vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Impact
The quick sequence of requests can possibly trigger of expensive requests on the server, depending on the application logic built on top of Akka HTTP/2, at a low cost for the abusing client, allowing for denial of service attacks.
Akka HTTP/2 servers running behind a proxy are likely protected by the proxy, given that it has protective measurements against this vulnerability.
Resolution
Starting from Akka HTTP 10.5.3 a reset frame rate limit is present in the HTTP/2 server. The rate limit is configurable through settings akka.http.server.http2.max-resets and akka.http.server.http2.max-resets-interval with a default limit of 400 resets per 10s and connection. Once a connection hits the limit it is closed.
Affected versions
All Akka HTTP versions prior to 10.5.3
Fixed versions
Akka HTTP 10.5.3
Akka HTTP 10.5.3
Reply all
Reply to author
Forward
0 new messages