On October 10, 2023, the following HTTP/2 protocol-level weakness, which enables a novel distributed denial of service (DDoS) attack technique, was disclosed:
CVE-2023-44487: HTTP/2 Rapid Reset
For a description of this vulnerability, see the following publications:
How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack [“https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack”] (Google)
HTTP/2 Zero-Day vulnerability results in record-breaking DDoS attacks [“https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/”] (Cloudflare)
CVE-2023-44487 - HTTP/2 Rapid Reset Attack [“https://aws.amazon.com/security/security-bulletins/AWS-2023-011/”] (AWS)
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ [“https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ”]
Vendor | Product | Version | CPE |
---|---|---|---|
cisco | unified_contact_center_enterprise | any | cpe:2.3:a:cisco:unified_contact_center_enterprise:any:*:*:*:*:*:*:* |
cisco | cisco_nx-os_software | any | cpe:2.3:a:cisco:cisco_nx-os_software:any:*:*:*:*:*:*:* |
cisco | secure_web_appliance_firmware | any | cpe:2.3:o:cisco:secure_web_appliance_firmware:any:*:*:*:*:*:*:* |
cisco | prime_network_registrar | any | cpe:2.3:a:cisco:prime_network_registrar:any:*:*:*:*:*:*:* |
cisco | telepresence_video_communication_server | any | cpe:2.3:a:cisco:telepresence_video_communication_server:any:*:*:*:expressway:*:*:* |
cisco | evolved_programmable_network_manager | any | cpe:2.3:a:cisco:evolved_programmable_network_manager:any:*:*:*:*:*:*:* |
cisco | enterprise_chat_and_email | any | cpe:2.3:a:cisco:enterprise_chat_and_email:any:*:*:*:*:*:*:* |
cisco | prime_cable_provisioning | any | cpe:2.3:a:cisco:prime_cable_provisioning:any:*:*:*:*:*:*:* |
cisco | ultra_cloud_core_-_session_management_function | any | cpe:2.3:a:cisco:ultra_cloud_core_-_session_management_function:any:*:*:*:*:*:*:* |
cisco | cisco_wae_automation | any | cpe:2.3:a:cisco:cisco_wae_automation:any:*:*:*:*:*:*:* |