PT-2023-5866 · Google +19 · Grpc-Go +23

Secatgourity

Published

2023-10-10

Updated

2025-08-14

CVE-2023-44487

Report an issue

CVSS v2.0

7.8

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions:

Apache HTTP Server versions prior to 2.4.57

Bamboo Data Center and Server versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1, and 9.3.0

F5 NGINX products (affected versions not specified)

gRPC-Go versions prior to 1.56.3, 1.57.1, and 1.58.3

IBM HTTP Server (powered by Apache) for IBM i (affected versions not specified)

nghttp2 versions prior to 1.57.0

Node.js (affected versions not specified)

swift-nio-http2 versions prior to 1.28

Tomcat versions 9.0.0 through 9.0.25

Description:

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly. This vulnerability can be exploited by an attacker to launch a Distributed Denial of Service (DDoS) attack, overwhelming the server with a large number of requests and rendering it unavailable to legitimate users. The estimated number of potentially affected devices worldwide is not specified, but the vulnerability has been exploited in the wild, with Google reporting a peak of 398 million requests per second. Technical details about exploitation include the ability to reset streams immediately, allowing an attacker to create an indefinite number of requests in flight, and the use of the RST STREAM frame to cancel requests.

Recommendations:

For Apache HTTP Server versions prior to 2.4.57, update to version 2.4.57 or later.

For Bamboo Data Center and Server versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1, and 9.3.0, upgrade to a release greater than or equal to 9.2.7 for version 9.2, or greater than or equal to 9.3.5 for version 9.3.

For F5 NGINX products, update the configuration to limit the number of concurrent streams to 128 by default and preserve HTTP connections up to 1000 requests.

For gRPC-Go versions prior to 1.56.3, 1.57.1, and 1.58.3, update to version 1.56.3, 1.57.1, or 1.58.3, or later, and ensure the grpc.MaxConcurrentStreams server option is applied to limit the server's resources used for any single connection.

For IBM HTTP Server (powered by Apache) for IBM i, update to a version that includes the fix for the vulnerability.

For nghttp2 versions prior to 1.57.0, update to version 1.57.0 or later.

For Node.js, update to a version that includes the fix for the vulnerability.

For swift-nio-http2 versions prior to 1.28, update to version 1.28 or later.

For Tomcat versions 9.0.0 through 9.0.25, update to a version that includes the fix for the vulnerability.

Exploit

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2023:5708

ALSA-2023:5709

ALSA-2023:5710

ALSA-2023:5711

ALSA-2023:5712

ALSA-2023:5713

ALSA-2023:5721

ALSA-2023:5738

ALSA-2023:5749

ALSA-2023:5765

ALSA-2023:5837

ALSA-2023:5838

ALSA-2023:5849

ALSA-2023:5850

ALSA-2023:5863

ALSA-2023:5867

ALSA-2023:5869

ALSA-2023:5924

ALSA-2023:5928

ALSA-2023:5929

ALSA-2023:5989

ALSA-2023:6077

ALSA-2023:6120

ALSA-2023:6746

ALSA-2023:7205

ALSA-2023_5708

ALSA-2023_5709

ALSA-2023_5710

ALSA-2023_5711

ALSA-2023_5712

ALSA-2023_5713

ALSA-2023_5721

ALSA-2023_5738

ALSA-2023_5749

ALSA-2023_5765

ALSA-2023_5837

ALSA-2023_5838

ALSA-2023_5849

ALSA-2023_5850

ALSA-2023_5863

ALSA-2023_5867

ALSA-2023_5869

ALSA-2023_5924

ALSA-2023_5928

ALSA-2023_5929

ALSA-2023_5989

ALSA-2023_6077

ALSA-2023_6120

ALSA-2023_6746

ALSA-2023_7205

ALSA-2024:1444

ALSA-2024:2368

ALSA-2024:3121

ALSA-2024_1444

ALT-PU-2023-6266

ALT-PU-2023-6303

ALT-PU-2023-6827

ALT-PU-2023-7050

ALT-PU-2023-7055

ALT-PU-2023-7119

ALT-PU-2023-7806

ALT-PU-2024-12000

ALT-PU-2024-12161

ALT-PU-2024-16022

ALT-PU-2024-16072

ALT-PU-2024-16792

ALT-PU-2024-16794

ALT-PU-2024-16796

ALT-PU-2024-16939

ALT-PU-2024-1883

ALT-PU-2024-2188

ALT-PU-2024-2761

ALT-PU-2024-2763

ALT-PU-2024-2765

ALT-PU-2024-2767

ALT-PU-2024-2823

ALT-PU-2024-4975

ALT-PU-2024-6625

ALT-PU-2024-6626

ALT-PU-2025-2379

ALT-PU-2025-9797

BDU:2023-06559

BIT-APISIX-2023-44487

BIT-ASPNET-CORE-2023-44487

BIT-CONTOUR-2023-44487

BIT-DOTNET-2023-44487

BIT-DOTNET-SDK-2023-44487

BIT-ENVOY-2023-44487

BIT-GOLANG-2023-44487

BIT-JENKINS-2023-44487

BIT-KONG-2023-44487

BIT-NGINX-2023-44487

BIT-NGINX-INGRESS-CONTROLLER-2023-44487

BIT-NODE-2023-44487

BIT-NODE-MIN-2023-44487

BIT-SOLR-2023-44487

BIT-TOMCAT-2023-44487

BIT-VARNISH-2023-44487

CESA-2023_5709

CESA-2023_5710

CESA-2023_5712

CESA-2023_5713

CESA-2023_5721

CESA-2023_5837

CESA-2023_5850

CESA-2023_5863

CESA-2023_5869

CESA-2023_5928

CESA-2023_5989

CESA-2023_7205

CESA-2024_1444

CVE-2023-44487

DLA-3617-1

DLA-3617-2

DLA-3621-1

DLA-3638-1

DLA-3641-1

DLA-3645-1

DLA-3656-1

DSA-5521-1

DSA-5522-1

DSA-5522-2

DSA-5522-3

DSA-5540-1

DSA-5549-1

DSA-5558-1

DSA-5570-1

ELSA-2023-13028

ELSA-2023-13029

ELSA-2023-13053

ELSA-2023-13054

ELSA-2023-5708

ELSA-2023-5709

ELSA-2023-5710

ELSA-2023-5711

ELSA-2023-5712

ELSA-2023-5713

ELSA-2023-5721

ELSA-2023-5738

ELSA-2023-5749

ELSA-2023-5765

ELSA-2023-5837

ELSA-2023-5838

ELSA-2023-5849

ELSA-2023-5850

ELSA-2023-5863

ELSA-2023-5867

ELSA-2023-5869

ELSA-2023-5924

ELSA-2023-5928

ELSA-2023-5929

ELSA-2023-5989

ELSA-2023-6120

ELSA-2023-6746

ELSA-2023-7205

ELSA-2024-1444

GHSA-2M7V-GC89-FJQF

GHSA-M425-MQ94-257G

GHSA-QPPJ-FM5R-HXR3

GHSA-VX74-F528-FXQG

GHSA-XPW8-RCWV-8F8P

GO-2023-2102

GO-2023-2153

MGASA-2023-0299

OPENSUSE-SU-2023:0360-1

OPENSUSE-SU-2023_4068-1

OPENSUSE-SU-2023_4069-1

OPENSUSE-SU-2023_4163-1

OPENSUSE-SU-2023_4200-1

OPENSUSE-SU-2023_4207-1

OPENSUSE-SU-2023_4210-1

OPENSUSE-SU-2023_4295-1

OPENSUSE-SU-2023_4373-1

OPENSUSE-SU-2023_4374-1

OPENSUSE-SU-2023_4469-1

OPENSUSE-SU-2023_4472-1

OPENSUSE-SU-2024:13329-1

OPENSUSE-SU-2024:13331-1

OPENSUSE-SU-2024:13336-1

OPENSUSE-SU-2024:13337-1

OPENSUSE-SU-2024:13350-1

OPENSUSE-SU-2024:13360-1

OPENSUSE-SU-2024:13376-1

OPENSUSE-SU-2024:13390-1

OPENSUSE-SU-2024:13391-1

OPENSUSE-SU-2024:13441-1

OPENSUSE-SU-2024:13443-1

OPENSUSE-SU-2024:13466-1

OPENSUSE-SU-2024:13482-1

OPENSUSE-SU-2024:14292-1

OPENSUSE-SU-2024:14442-1

OPENSUSE-SU-2024_0573-1

OPENSUSE-SU-2024_3094-1

OPENSUSE-SU-2024_3097-1

OPENSUSE-SU-2024_3098-1

OPENSUSE-SU-2024_3341-1

OPENSUSE-SU-2024_3342-1

OPENSUSE-SU-2024_3343-1

OPENSUSE-SU-2024_3344-1

OPENSUSE-SU-2025_0282-1

OPENSUSE-SU-2025_0283-1

RHSA-2023:5009

RHSA-2023:5675

RHSA-2023:5679

RHSA-2023:5705

RHSA-2023:5706

RHSA-2023:5707

RHSA-2023:5708

RHSA-2023:5709

RHSA-2023:5710

RHSA-2023:5711

RHSA-2023:5712

RHSA-2023:5713

RHSA-2023:5714

RHSA-2023:5715

RHSA-2023:5717

RHSA-2023:5719

RHSA-2023:5720

RHSA-2023:5721

RHSA-2023:5738

RHSA-2023:5749

RHSA-2023:5764

RHSA-2023:5765

RHSA-2023:5766

RHSA-2023:5767

RHSA-2023:5768

RHSA-2023:5769

RHSA-2023:5770

RHSA-2023:5783

RHSA-2023:5803

RHSA-2023:5805

RHSA-2023:5809

RHSA-2023:5810

RHSA-2023:5835

RHSA-2023:5837

RHSA-2023:5838

RHSA-2023:5840

RHSA-2023:5841

RHSA-2023:5849

RHSA-2023:5850

RHSA-2023:5863

RHSA-2023:5864

RHSA-2023:5865

RHSA-2023:5866

RHSA-2023:5867

RHSA-2023:5869

RHSA-2023:5920

RHSA-2023:5924

RHSA-2023:5928

RHSA-2023:5929

RHSA-2023:5930

RHSA-2023:5931

RHSA-2023:5964

RHSA-2023:5965

RHSA-2023:5967

RHSA-2023:5969

RHSA-2023:5970

RHSA-2023:5979

RHSA-2023:5980

RHSA-2023:5982

RHSA-2023:5989

RHSA-2023:6020

RHSA-2023:6021

RHSA-2023:6022

RHSA-2023:6023

RHSA-2023:6057

RHSA-2023:6059

RHSA-2023:6077

RHSA-2023:6105

RHSA-2023:6120

RHSA-2023:6165

RHSA-2023:6171

RHSA-2023:6172

RHSA-2023:6179

RHSA-2023:6243

RHSA-2023:6298

RHSA-2023:6746

RHSA-2023:6781

RHSA-2023:6782

RHSA-2023:6818

RHSA-2023:6839

RHSA-2023:6840

RHSA-2023:7200

RHSA-2023:7201

RHSA-2023:7205

RHSA-2023:7288

RHSA-2023:7325

RHSA-2023:7334

RHSA-2023:7344

RHSA-2023:7481

RHSA-2023:7482

RHSA-2023:7483

RHSA-2023:7484

RHSA-2023:7521

RHSA-2023:7610

RHSA-2023:7637

RHSA-2023:7638

RHSA-2023:7639

RHSA-2023:7699

RHSA-2023_5708

RHSA-2023_5709

RHSA-2023_5710

RHSA-2023_5711

RHSA-2023_5712

RHSA-2023_5713

RHSA-2023_5721

RHSA-2023_5738

RHSA-2023_5749

RHSA-2023_5765

RHSA-2023_5835

RHSA-2023_5837

RHSA-2023_5838

RHSA-2023_5849

RHSA-2023_5850

RHSA-2023_5863

RHSA-2023_5867

RHSA-2023_5869

RHSA-2023_5924

RHSA-2023_5928

RHSA-2023_5929

RHSA-2023_5989

RHSA-2023_6077

RHSA-2023_6120

RHSA-2023_6746

RHSA-2023_7205

RHSA-2024:0777

RHSA-2024:1444

RHSA-2024:4118

RHSA-2024_1444

RLSA-2023:5708

RLSA-2023:5721

RLSA-2023:5738

RLSA-2023:5749

RLSA-2023:5765

RLSA-2023:5838

RLSA-2023:5850

RLSA-2023:5863

RLSA-2023:5924

RLSA-2023:5928

RLSA-2023:5989

RLSA-2023:6077

RLSA-2023:6120

RLSA-2023:6746

RLSA-2023:6818

RLSA-2023:7205

RLSA-2023_5721

RLSA-2023_5738

RLSA-2023_5765

RLSA-2023_5850

RLSA-2023_5863

RLSA-2023_5924

RLSA-2023_5928

RLSA-2023_5989

RLSA-2023_6120

RLSA-2023_6818

RLSA-2023_7205

RLSA-2024:1444

RLSA-2024_1444

ROSA-SA-2024-2418

ROSA-SA-2024-2525

ROSA-SA-2025-2895

SUSE-SU-2023:4068-1

SUSE-SU-2023:4069-1

SUSE-SU-2023:4129-1

SUSE-SU-2023:4132-1

SUSE-SU-2023:4133-1

SUSE-SU-2023:4150-1

SUSE-SU-2023:4155-1

SUSE-SU-2023:4163-1

SUSE-SU-2023:4199-1

SUSE-SU-2023:4200-1

SUSE-SU-2023:4207-1

SUSE-SU-2023:4210-1

SUSE-SU-2023:4259-1

SUSE-SU-2023:4295-1

SUSE-SU-2023:4373-1

SUSE-SU-2023:4374-1

SUSE-SU-2023:4469-1

SUSE-SU-2023:4472-1

SUSE-SU-2023:4492-1

SUSE-SU-2023:4624-1

SUSE-SU-2023_4068-1

SUSE-SU-2023_4069-1

SUSE-SU-2023_4129-1

SUSE-SU-2023_4132-1

SUSE-SU-2023_4133-1

SUSE-SU-2023_4150-1

SUSE-SU-2023_4155-1

SUSE-SU-2023_4163-1

SUSE-SU-2023_4199-1

SUSE-SU-2023_4200-1

SUSE-SU-2023_4207-1

SUSE-SU-2023_4210-1

SUSE-SU-2023_4259-1

SUSE-SU-2023_4295-1

SUSE-SU-2023_4373-1

SUSE-SU-2023_4374-1

SUSE-SU-2023_4469-1

SUSE-SU-2023_4472-1

SUSE-SU-2023_4492-1

SUSE-SU-2023_4624-1

SUSE-SU-2024:0573-1

SUSE-SU-2024:3094-1

SUSE-SU-2024:3097-1

SUSE-SU-2024:3098-1

SUSE-SU-2024:3341-1

SUSE-SU-2024:3342-1

SUSE-SU-2024:3343-1

SUSE-SU-2024:3344-1

SUSE-SU-2024_0573-1

SUSE-SU-2024_3094-1

SUSE-SU-2024_3097-1

SUSE-SU-2024_3098-1

SUSE-SU-2024_3341-1

SUSE-SU-2024_3342-1

SUSE-SU-2024_3343-1

SUSE-SU-2024_3344-1

SUSE-SU-2025:0282-1

SUSE-SU-2025:0283-1

SUSE-SU-2025_0282-1

SUSE-SU-2025_0283-1

USN-6427-1

USN-6427-2

USN-6438-1

USN-6505-1

USN-6574-1

USN-6754-1

USN-6994-1

USN-7067-1

USN-7410-1

USN-7469-1

USN-7469-2

USN-7469-3

USN-7469-4

Affected Products

Alt Linux

Almalinux

Apache Http Server

Apache Tomcat

Astra Linux

Bamboo

Bamboo Data Center/Server

Centos

Confluence

Debian

F5 Nginx

Fortios

Ibm Http Server

Jenkins

Jira

Linuxmint

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Windows

Grpc-Go

Swift-Nio-Http2

PT-2023-5866 · Google +19 · Grpc-Go +23

Weakness Enumeration

Related Identifiers

Affected Products

References · 1875