PT-2023-5866 · Apple+19 · Swift-Nio-Http2+23

Secatgourity

·

Published

2023-01-11

·

Updated

2026-04-30

·

CVE-2023-44487

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions prior to 2.4.57 Bamboo Data Center and Server versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1, and 9.3.0 F5 NGINX products (affected versions not specified) gRPC-Go versions prior to 1.56.3, 1.57.1, and 1.58.3 IBM HTTP Server (powered by Apache) for IBM i (affected versions not specified) nghttp2 versions prior to 1.57.0 Node.js (affected versions not specified) swift-nio-http2 versions prior to 1.28 Tomcat versions 9.0.0 through 9.0.25
Description The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly. This vulnerability can be exploited by an attacker to launch a Distributed Denial of Service (DDoS) attack, overwhelming the server with a large number of requests and rendering it unavailable to legitimate users. The estimated number of potentially affected devices worldwide is not specified, but the vulnerability has been exploited in the wild, with Google reporting a peak of 398 million requests per second. Technical details about exploitation include the ability to reset streams immediately, allowing an attacker to create an indefinite number of requests in flight, and the use of the RST STREAM frame to cancel requests.
Recommendations For Apache HTTP Server versions prior to 2.4.57, update to version 2.4.57 or later. For Bamboo Data Center and Server versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.1, and 9.3.0, upgrade to a release greater than or equal to 9.2.7 for version 9.2, or greater than or equal to 9.3.5 for version 9.3. For F5 NGINX products, update the configuration to limit the number of concurrent streams to 128 by default and preserve HTTP connections up to 1000 requests. For gRPC-Go versions prior to 1.56.3, 1.57.1, and 1.58.3, update to version 1.56.3, 1.57.1, or 1.58.3, or later, and ensure the grpc.MaxConcurrentStreams server option is applied to limit the server's resources used for any single connection. For IBM HTTP Server (powered by Apache) for IBM i, update to a version that includes the fix for the vulnerability. For nghttp2 versions prior to 1.57.0, update to version 1.57.0 or later. For Node.js, update to a version that includes the fix for the vulnerability. For swift-nio-http2 versions prior to 1.28, update to version 1.28 or later. For Tomcat versions 9.0.0 through 9.0.25, update to a version that includes the fix for the vulnerability.

Exploit

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2023:5708
ALSA-2023:5709
ALSA-2023:5710
ALSA-2023:5711
ALSA-2023:5712
ALSA-2023:5713
ALSA-2023:5721
ALSA-2023:5738
ALSA-2023:5749
ALSA-2023:5765
ALSA-2023:5837
ALSA-2023:5838
ALSA-2023:5849
ALSA-2023:5850
ALSA-2023:5863
ALSA-2023:5867
ALSA-2023:5869
ALSA-2023:5924
ALSA-2023:5928
ALSA-2023:5929
ALSA-2023:5989
ALSA-2023:6077
ALSA-2023:6120
ALSA-2023:6746
ALSA-2023:7205
ALSA-2023_0077
ALSA-2023_0079
ALSA-2023_3318
ALSA-2023_3319
ALSA-2023_3581
ALSA-2023_3582
ALSA-2023_3592
ALSA-2023_3593
ALSA-2023_3922
ALSA-2023_3923
ALSA-2023_4057
ALSA-2023_4058
ALSA-2023_4059
ALSA-2023_4060
ALSA-2023_4642
ALSA-2023_4643
ALSA-2023_4644
ALSA-2023_4645
ALSA-2023_5143
ALSA-2023_5144
ALSA-2023_5145
ALSA-2023_5146
ALSA-2023_5360
ALSA-2023_5362
ALSA-2023_5363
ALSA-2023_5532
ALSA-2023_5708
ALSA-2023_5709
ALSA-2023_5710
ALSA-2023_5711
ALSA-2023_5712
ALSA-2023_5713
ALSA-2023_5721
ALSA-2023_5738
ALSA-2023_5749
ALSA-2023_5765
ALSA-2023_5837
ALSA-2023_5838
ALSA-2023_5849
ALSA-2023_5850
ALSA-2023_5863
ALSA-2023_5867
ALSA-2023_5869
ALSA-2023_5924
ALSA-2023_5928
ALSA-2023_5929
ALSA-2023_5989
ALSA-2023_6077
ALSA-2023_6120
ALSA-2023_6242
ALSA-2023_6245
ALSA-2023_6246
ALSA-2023_6247
ALSA-2023_6746
ALSA-2023_7205
ALSA-2023_7253
ALSA-2023_7254
ALSA-2023_7255
ALSA-2023_7256
ALSA-2023_7257
ALSA-2023_7258
ALSA-2024:1444
ALSA-2024:2368
ALSA-2024:3121
ALSA-2024_0150
ALSA-2024_0151
ALSA-2024_0152
ALSA-2024_0156
ALSA-2024_0157
ALSA-2024_0158
ALSA-2024_0805
ALSA-2024_0806
ALSA-2024_0807
ALSA-2024_0808
ALSA-2024_0827
ALSA-2024_0848
ALSA-2024_1130
ALSA-2024_1131
ALSA-2024_1134
ALSA-2024_1149
ALSA-2024_1150
ALSA-2024_1308
ALSA-2024_1309
ALSA-2024_1310
ALSA-2024_1311
ALSA-2024_1438
ALSA-2024_1444
ALSA-2024_1503
ALSA-2024_1510
ALSA-2024_1687
ALSA-2024_1688
ALSA-2024_1962
ALSA-2024_1963
ALSA-2024_2079
ALSA-2024_2160
ALSA-2024_2193
ALSA-2024_2245
ALSA-2024_2272
ALSA-2024_2548
ALSA-2024_2549
ALSA-2024_2550
ALSA-2024_2562
ALSA-2024_2699
ALSA-2024_2724
ALSA-2024_2842
ALSA-2024_2843
ALSA-2024_3340
ALSA-2024_3345
ALSA-2024_3501
ALSA-2024_4252
ALSA-2024_4438
ALSA-2024_4439
ALSA-2024_4450
ALSA-2024_4451
ALSA-2024_7851
ALSA-2024_7867
ALSA-2024_7868
ALSA-2024_7869
ALSA-2025_11333
ALSA-2025_11335
ALSA-2025_16880
ALSA-2025_3261
ALSA-2025_3262
ALSA-2025_3645
ALSA-2025_3683
ALSA-2025_7256
ALSA-2025_7402
ALT-PU-2023-6264
ALT-PU-2023-6266
ALT-PU-2023-6303
ALT-PU-2023-6477
ALT-PU-2023-6827
ALT-PU-2023-6858
ALT-PU-2023-7050
ALT-PU-2023-7055
ALT-PU-2023-7094
ALT-PU-2023-7097
ALT-PU-2023-7119
ALT-PU-2023-7806
ALT-PU-2023-8058
ALT-PU-2024-1065
ALT-PU-2024-1066
ALT-PU-2024-1067
ALT-PU-2024-1068
ALT-PU-2024-1069
ALT-PU-2024-12000
ALT-PU-2024-12161
ALT-PU-2024-16002
ALT-PU-2024-16022
ALT-PU-2024-16072
ALT-PU-2024-16792
ALT-PU-2024-16794
ALT-PU-2024-16796
ALT-PU-2024-16939
ALT-PU-2024-1883
ALT-PU-2024-2188
ALT-PU-2024-2761
ALT-PU-2024-2763
ALT-PU-2024-2765
ALT-PU-2024-2767
ALT-PU-2024-2823
ALT-PU-2024-4687
ALT-PU-2024-4975
ALT-PU-2024-6625
ALT-PU-2024-6626
ALT-PU-2025-13603
ALT-PU-2025-2379
ALT-PU-2025-9797
AZL-31291
AZL-31292
AZL-31296
AZL-31297
AZL-31299
AZL-31300
AZL-31301
AZL-31304
AZL-31305
AZL-31306
AZL-31307
AZL-31312
AZL-31313
AZL-31314
AZL-31315
AZL-31316
AZL-31317
AZL-31318
AZL-31319
AZL-31323
AZL-31324
AZL-31325
AZL-31326
AZL-31327
AZL-31328
AZL-31329
AZL-31331
AZL-31332
AZL-31333
AZL-31335
AZL-31336
AZL-31339
AZL-31340
AZL-31341
AZL-31342
AZL-31343
AZL-31345
AZL-31346
AZL-31347
AZL-31348
AZL-31491
AZL-31493
AZL-31498
AZL-31519
AZL-31520
AZL-31693
AZL-33343
AZL-34545
AZL-34568
AZL-34579
AZL-34591
AZL-34609
AZL-34619
AZL-34623
AZL-34626
AZL-34682
AZL-34686
AZL-34771
AZL-34799
AZL-34805
AZL-34819
AZL-34825
AZL-34827
AZL-34837
AZL-34890
AZL-34895
AZL-34904
AZL-34964
AZL-34997
AZL-35008
AZL-35015
AZL-35028
AZL-35038
AZL-35068
AZL-35097
AZL-35114
AZL-35117
AZL-35282
AZL-35297
AZL-35350
AZL-35436
AZL-35441
AZL-37314
AZL-37404
AZL-39603
AZL-42750
AZL-43465
AZL-43747
AZL-44124
BDU:2023-06559
BIT-APISIX-2023-44487
BIT-ASPNET-CORE-2023-44487
BIT-CONTOUR-2023-44487
BIT-DOTNET-2023-44487
BIT-DOTNET-SDK-2023-44487
BIT-ENVOY-2023-44487
BIT-GOLANG-2023-44487
BIT-JENKINS-2023-44487
BIT-KONG-2023-44487
BIT-NGINX-2023-44487
BIT-NGINX-GATEWAY-2023-44487
BIT-NGINX-INGRESS-CONTROLLER-2023-44487
BIT-NODE-2023-44487
BIT-NODE-MIN-2023-44487
BIT-SOLR-2023-44487
BIT-TOMCAT-2023-44487
BIT-VARNISH-2023-44487
CESA-2023_5709
CESA-2023_5710
CESA-2023_5712
CESA-2023_5713
CESA-2023_5721
CESA-2023_5837
CESA-2023_5850
CESA-2023_5863
CESA-2023_5869
CESA-2023_5928
CESA-2023_5989
CESA-2023_7205
CESA-2024_1444
CLEANSTART-2026-AF45008
CLEANSTART-2026-BA37192
CLEANSTART-2026-BD71263
CLEANSTART-2026-GG94489
CLEANSTART-2026-HV28992
CLEANSTART-2026-IS74202
CLEANSTART-2026-JR35772
CLEANSTART-2026-JY06700
CLEANSTART-2026-KN34553
CLEANSTART-2026-KZ45320
CLEANSTART-2026-LN12820
CLEANSTART-2026-MQ02912
CLEANSTART-2026-WI75198
CLEANSTART-2026-XB16901
CLEANSTART-2026-ZN32454
CLEANSTART-2026-ZT77083
CVE-2023-44487
DLA-3617-1
DLA-3617-2
DLA-3621-1
DLA-3638-1
DLA-3641-1
DLA-3645-1
DLA-3656-1
DSA-5521-1
DSA-5522-1
DSA-5522-2
DSA-5522-3
DSA-5540-1
DSA-5549-1
DSA-5558-1
DSA-5570-1
ECHO-56A6-A351-03E9
ELSA-2023-13028
ELSA-2023-13029
ELSA-2023-13053
ELSA-2023-13054
ELSA-2023-5708
ELSA-2023-5709
ELSA-2023-5710
ELSA-2023-5711
ELSA-2023-5712
ELSA-2023-5713
ELSA-2023-5721
ELSA-2023-5738
ELSA-2023-5749
ELSA-2023-5765
ELSA-2023-5837
ELSA-2023-5838
ELSA-2023-5849
ELSA-2023-5850
ELSA-2023-5863
ELSA-2023-5867
ELSA-2023-5869
ELSA-2023-5924
ELSA-2023-5928
ELSA-2023-5929
ELSA-2023-5989
ELSA-2023-6120
ELSA-2023-6746
ELSA-2023-7205
ELSA-2024-1444
GHSA-2M7V-GC89-FJQF
GHSA-M425-MQ94-257G
GHSA-QPPJ-FM5R-HXR3
GHSA-VX74-F528-FXQG
GHSA-XPW8-RCWV-8F8P
GO-2023-2102
GO-2023-2153
JLSEC-2026-3
MGASA-2023-0299
OESA-2023-1771
OESA-2023-1777
OESA-2024-1168
OESA-2024-1169
OESA-2024-1170
OESA-2024-1171
OESA-2024-1172
OESA-2024-1173
OESA-2024-1189
OESA-2024-2402
OESA-2024-2403
OESA-2024-2404
OESA-2024-2405
OESA-2024-2460
OESA-2025-1183
OESA-2025-1185
OPENSUSE-SU-2023:0360-1
OPENSUSE-SU-2023_4068-1
OPENSUSE-SU-2023_4069-1
OPENSUSE-SU-2023_4163-1
OPENSUSE-SU-2023_4200-1
OPENSUSE-SU-2023_4207-1
OPENSUSE-SU-2023_4210-1
OPENSUSE-SU-2023_4295-1
OPENSUSE-SU-2023_4373-1
OPENSUSE-SU-2023_4374-1
OPENSUSE-SU-2023_4469-1
OPENSUSE-SU-2023_4472-1
OPENSUSE-SU-2024:13329-1
OPENSUSE-SU-2024:13331-1
OPENSUSE-SU-2024:13336-1
OPENSUSE-SU-2024:13337-1
OPENSUSE-SU-2024:13350-1
OPENSUSE-SU-2024:13360-1
OPENSUSE-SU-2024:13376-1
OPENSUSE-SU-2024:13390-1
OPENSUSE-SU-2024:13391-1
OPENSUSE-SU-2024:13441-1
OPENSUSE-SU-2024:13443-1
OPENSUSE-SU-2024:13466-1
OPENSUSE-SU-2024:13482-1
OPENSUSE-SU-2024:14292-1
OPENSUSE-SU-2024:14442-1
OPENSUSE-SU-2024_0573-1
OPENSUSE-SU-2024_3094-1
OPENSUSE-SU-2024_3097-1
OPENSUSE-SU-2024_3098-1
OPENSUSE-SU-2024_3341-1
OPENSUSE-SU-2024_3342-1
OPENSUSE-SU-2024_3343-1
OPENSUSE-SU-2024_3344-1
OPENSUSE-SU-2025_0282-1
OPENSUSE-SU-2025_0283-1
RHSA-2023:5009
RHSA-2023:5675
RHSA-2023:5679
RHSA-2023:5705
RHSA-2023:5706
RHSA-2023:5707
RHSA-2023:5708
RHSA-2023:5709
RHSA-2023:5710
RHSA-2023:5711
RHSA-2023:5712
RHSA-2023:5713
RHSA-2023:5714
RHSA-2023:5715
RHSA-2023:5717
RHSA-2023:5719
RHSA-2023:5720
RHSA-2023:5721
RHSA-2023:5738
RHSA-2023:5749
RHSA-2023:5764
RHSA-2023:5765
RHSA-2023:5766
RHSA-2023:5767
RHSA-2023:5768
RHSA-2023:5769
RHSA-2023:5770
RHSA-2023:5783
RHSA-2023:5803
RHSA-2023:5805
RHSA-2023:5809
RHSA-2023:5810
RHSA-2023:5835
RHSA-2023:5837
RHSA-2023:5838
RHSA-2023:5840
RHSA-2023:5841
RHSA-2023:5849
RHSA-2023:5850
RHSA-2023:5863
RHSA-2023:5864
RHSA-2023:5865
RHSA-2023:5866
RHSA-2023:5867
RHSA-2023:5869
RHSA-2023:5920
RHSA-2023:5924
RHSA-2023:5928
RHSA-2023:5929
RHSA-2023:5930
RHSA-2023:5931
RHSA-2023:5964
RHSA-2023:5965
RHSA-2023:5967
RHSA-2023:5969
RHSA-2023:5970
RHSA-2023:5979
RHSA-2023:5980
RHSA-2023:5982
RHSA-2023:5989
RHSA-2023:6020
RHSA-2023:6021
RHSA-2023:6022
RHSA-2023:6023
RHSA-2023:6057
RHSA-2023:6059
RHSA-2023:6077
RHSA-2023:6105
RHSA-2023:6120
RHSA-2023:6165
RHSA-2023:6171
RHSA-2023:6172
RHSA-2023:6179
RHSA-2023:6243
RHSA-2023:6298
RHSA-2023:6746
RHSA-2023:6781
RHSA-2023:6782
RHSA-2023:6818
RHSA-2023:6839
RHSA-2023:6840
RHSA-2023:7200
RHSA-2023:7201
RHSA-2023:7205
RHSA-2023:7288
RHSA-2023:7325
RHSA-2023:7334
RHSA-2023:7344
RHSA-2023:7481
RHSA-2023:7482
RHSA-2023:7483
RHSA-2023:7484
RHSA-2023:7521
RHSA-2023:7610
RHSA-2023:7637
RHSA-2023:7638
RHSA-2023:7639
RHSA-2023:7699
RHSA-2023_5708
RHSA-2023_5709
RHSA-2023_5710
RHSA-2023_5711
RHSA-2023_5712
RHSA-2023_5713
RHSA-2023_5721
RHSA-2023_5738
RHSA-2023_5749
RHSA-2023_5765
RHSA-2023_5835
RHSA-2023_5837
RHSA-2023_5838
RHSA-2023_5849
RHSA-2023_5850
RHSA-2023_5863
RHSA-2023_5867
RHSA-2023_5869
RHSA-2023_5924
RHSA-2023_5928
RHSA-2023_5929
RHSA-2023_5989
RHSA-2023_6077
RHSA-2023_6120
RHSA-2023_6746
RHSA-2023_7205
RHSA-2024:0777
RHSA-2024:1444
RHSA-2024:4118
RHSA-2024_1444
RHSA-2025:16668
RHSA-2026:8322
RLSA-2023:5708
RLSA-2023:5721
RLSA-2023:5738
RLSA-2023:5749
RLSA-2023:5765
RLSA-2023:5838
RLSA-2023:5850
RLSA-2023:5863
RLSA-2023:5924
RLSA-2023:5928
RLSA-2023:5989
RLSA-2023:6077
RLSA-2023:6120
RLSA-2023:6746
RLSA-2023:6818
RLSA-2023:7205
RLSA-2023_5721
RLSA-2023_5738
RLSA-2023_5765
RLSA-2023_5837
RLSA-2023_5849
RLSA-2023_5850
RLSA-2023_5863
RLSA-2023_5869
RLSA-2023_5924
RLSA-2023_5928
RLSA-2023_5989
RLSA-2023_6120
RLSA-2023_6818
RLSA-2023_7205
RLSA-2024:1444
RLSA-2024_1444
ROSA-SA-2024-2418
ROSA-SA-2024-2525
ROSA-SA-2025-2895
SUSE-SU-2023:4068-1
SUSE-SU-2023:4069-1
SUSE-SU-2023:4129-1
SUSE-SU-2023:4132-1
SUSE-SU-2023:4133-1
SUSE-SU-2023:4150-1
SUSE-SU-2023:4155-1
SUSE-SU-2023:4163-1
SUSE-SU-2023:4199-1
SUSE-SU-2023:4200-1
SUSE-SU-2023:4207-1
SUSE-SU-2023:4210-1
SUSE-SU-2023:4259-1
SUSE-SU-2023:4295-1
SUSE-SU-2023:4373-1
SUSE-SU-2023:4374-1
SUSE-SU-2023:4469-1
SUSE-SU-2023:4472-1
SUSE-SU-2023:4492-1
SUSE-SU-2023:4624-1
SUSE-SU-2023_4068-1
SUSE-SU-2023_4069-1
SUSE-SU-2023_4129-1
SUSE-SU-2023_4132-1
SUSE-SU-2023_4133-1
SUSE-SU-2023_4150-1
SUSE-SU-2023_4155-1
SUSE-SU-2023_4163-1
SUSE-SU-2023_4199-1
SUSE-SU-2023_4200-1
SUSE-SU-2023_4207-1
SUSE-SU-2023_4210-1
SUSE-SU-2023_4259-1
SUSE-SU-2023_4295-1
SUSE-SU-2023_4373-1
SUSE-SU-2023_4374-1
SUSE-SU-2023_4469-1
SUSE-SU-2023_4472-1
SUSE-SU-2023_4492-1
SUSE-SU-2023_4624-1
SUSE-SU-2024:0573-1
SUSE-SU-2024:3094-1
SUSE-SU-2024:3097-1
SUSE-SU-2024:3098-1
SUSE-SU-2024:3341-1
SUSE-SU-2024:3342-1
SUSE-SU-2024:3343-1
SUSE-SU-2024:3344-1
SUSE-SU-2024_0573-1
SUSE-SU-2024_3094-1
SUSE-SU-2024_3097-1
SUSE-SU-2024_3098-1
SUSE-SU-2024_3341-1
SUSE-SU-2024_3342-1
SUSE-SU-2024_3343-1
SUSE-SU-2024_3344-1
SUSE-SU-2025:0282-1
SUSE-SU-2025:0283-1
SUSE-SU-2025_0282-1
SUSE-SU-2025_0283-1
SUSE-SU-2026:1058-1
USN-6427-1
USN-6427-2
USN-6438-1
USN-6505-1
USN-6574-1
USN-6754-1
USN-6994-1
USN-7067-1
USN-7410-1
USN-7469-1
USN-7469-2
USN-7469-3
USN-7469-4
USN-7892-1

Affected Products

Alt Linux
Almalinux
Apache Http Server
Apache Tomcat
Astra Linux
Bamboo
Bamboo Data Center/Server
Centos
Confluence
Debian
F5 Nginx
Fortios
Ibm Http Server
Jenkins
Jira
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Windows
Grpc-Go
Swift-Nio-Http2