CVE-2023-44487

Public on 2023-10-10
Modified on 2024-03-28
Description
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Severity
Important severity
Important
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2023 dotnet6.0 2023-10-16 ALAS2023-2023-389 Fixed
Amazon Linux 2 - Ecs Extra ecs-service-connect-agent 2023-10-31 ALAS2ECS-2023-016 Fixed
Amazon Linux 2023 ecs-service-connect-agent 2023-10-30 ALAS2023-2023-420 Fixed
Amazon Linux 1 golang 2023-10-16 ALAS-2023-1871 Fixed
Amazon Linux 2 - Core golang 2023-10-16 ALAS2-2023-2313 Fixed
Amazon Linux 2023 golang 2023-10-16 ALAS2023-2023-394 Fixed
Amazon Linux 2023 grpc 2024-01-03 ALAS2023-2024-474 Fixed
Amazon Linux 1 nghttp2 2023-10-16 ALAS-2023-1869 Fixed
Amazon Linux 2 - Core nghttp2 2023-10-16 ALAS2-2023-2312 Fixed
Amazon Linux 2023 nghttp2 2023-10-16 ALAS2023-2023-392 Fixed
Amazon Linux 1 nginx 2023-10-16 ALAS-2023-1870 Fixed
Amazon Linux 2 - Nginx1 Extra nginx 2023-10-16 ALAS2NGINX1-2023-006 Fixed
Amazon Linux 2023 nginx 2023-10-16 ALAS2023-2023-393 Fixed
Amazon Linux 2023 nodejs 2023-10-16 ALAS2023-2023-391 Fixed
Amazon Linux 2 - Core tomcat Not Affected
Amazon Linux 2 - Tomcat8.5 Extra tomcat 2023-10-16 ALAS2TOMCAT8.5-2023-016 Fixed
Amazon Linux 2 - Tomcat9 Extra tomcat 2023-10-16 ALAS2TOMCAT9-2023-010 Fixed
Amazon Linux 1 tomcat8 2023-10-16 ALAS-2023-1868 Fixed
Amazon Linux 2023 tomcat9 2023-10-16 ALAS2023-2023-390 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Red Hat: CVE-2023-44487 Mitre: CVE-2023-44487