Bug 1216176 - VUL-0: apache2: Rapid reset attack impact (CVE-2023-44487)
Summary: VUL-0: apache2: Rapid reset attack impact (CVE-2023-44487)
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/381683/
Whiteboard:
Keywords:
Depends on: CVE-2023-45802
Blocks: CVE-2023-44487
  Show dependency treegraph
 
Reported: 2023-10-12 12:00 UTC by Alexander Bergmann
Modified: 2024-05-07 07:48 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2023-10-12 12:00:17 UTC 
The Apache2 upstream team posted the following statement about the impact of the "HTTP/2 Rapid Reset Attack" vulnerability.

https://github.com/apache/httpd-site/pull/10/commits/0ed0b409383b2ab17c8c04a59b6365c3a27a4920

## CVE-2023-44487 HTTP/2 'Rapid Reset' {#CVE-2023-44487}

Apache HTTP Server is not impacted by the problem described in
[CVE-2023-44487](https://www.cve.org/CVERecord?id=CVE-2023-44487):
the long-standing measures we have in place to limit excessive load
from clients are effective in this scenario. The attack described
will cause extra CPU usage on your Apache HTTP Server process, but
not impact any backends.

As an extra mitigation, if you upgrade the [libnghttp2](http://nghttp2.org/)
dependency of `mod_http2` to [at least version 1.57.0](https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0)
this will completely remove the impact from Rapid Reset exploits.


We are tracking all "HTTP/2 Rapid Reset Attack" related bugs within bsc#1216123.
Comment 1 Thomas Leroy 2024-05-07 07:48:17 UTC 
All done, closing.