Fortra’s Alert Logic is actively researching CVE-2023-44487, a vulnerability in the HTTP/2 Protocol that allows for a new DDoS attack method. The vulnerability is triggered by utilizing features of HTTP/2 to rapid establish and immediately reset multiple streams within a single TCP connection.
Who is affected?
Fortra Managed WAF is not vulnerable to this attack, as HTTP/2 support is disabled by default. Where enabled, the default Fortra Managed WAF configuration for HTTP/2 is consistent with recommended values. Fortra Managed WAF utilizes nginx software for its core web proxy. F5, nginx’s primary developer, recommends configuration settings for keepalive and max concurrent HTTP/2 streams are within recommended limits of 1000 and 128 respectively. The default settings for keepalive in Fortra Managed WAF is 50 and concurrent HTTP/2 streams is 128.
What can I do?
There are various suggested mitigations and patches across multiple vendors. It is recommended that you investigate your specific vendor’s advisory for details on how they best suggest dealing with this vulnerability. Some mitigations announced by common vendors are listed below.
In addition, F5 will be releasing a patch for nginx this week that will further improve its resiliency to the HTTP/2 Rapid Reset attack. This patch will be included in the upcoming Fortra Managed WAF release.
How is Alert Logic helping me?
For Managed Detection & Response customers
Vulnerability Scanning: Alert Logic released scan coverage on October 12, 2023, to identify CVE-2023-44487. An authenticated scan performed after this release will check for applied patches to mitigate this vulnerability. An unauthenticated scan performed after this release will look for vulnerable versions of affected packages in Apache Tomcat and Jetty.
For Fortra Managed WAF customers
The Web Security Expert team is available around the clock to help with further mitigation:
- In addition to the layer 7 configuration of keepalive and HTTP/2 concurrent streams, F5 recommends limiting concurrent network connections and throttling request frequency. Those controls are available in Fortra Managed WAF and can be configured upon request.
- HTTP/2 can be disabled for all websites on a WAF at customer's request.
- Customers running in AWS can utilize the Fortra Managed WAF DDoS protection feature that integrates with AWS to push protection into the AWS infrastructure in the case of a DDoS event.
Alert Logic has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.