HTTP/2 Rapid Reset : CVE-2023-44487

[extremeshok]

Is caddy patched or vulnerable to the attack.

See : CVE-2023-44487

https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

[kiwixz]

I am pretty sure caddy has no rate-limiting built in, so it's not affected by this.

[bt90]

This is a vulnerability in the HTTP/2 protocol that is being targeted by DDoS attacks. I don't see what this has to do with a rate-limiting feature. The only thing related to rate limiting seems to me to be the migitation strategy.

The real question is at what layer this needs to be addressed. Do we need to wait for a fix in x/net/http2, or is this something that caddy needs to implement itself?

Response of nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

Apache's migitation strategy: https://chaos.social/@icing/111210915918780532

[mohammed90]

Do we need to wait for a fix in x/net/http2

I think yes. I'm trying to keep an eye on Go's announcements to see what they'll say. The vuln and mitigation layer is below Caddy's scope.

[piroux]

FWIW, Go 1.21.3 is planned for release today, but mainly to fix an "unrelated" security vuln.

So far, there is no mention of CVE-2023-44487 in the Go repo on Github.

Do we need to wait for a fix in x/net/http2

Well it seems that grpc-go has been working on a fix already , that might be worth taking a look.

[neild]

Go 1.21.3 will be out shortly, with a mitigation for Rapid Reset. An update to x/net/http2 will follow shortly after. More details will be in the release announcement.

[mohammed90]

Go 1.21.3 will be out shortly, with a mitigation for Rapid Reset. An update to x/net/http2 will follow shortly after. More details will be in the release announcement.

Glad to hear! Thank you

[piroux]

The fix for CVE-2023-44487 has been merged: golang/go#63417

And Go 1.21.3 has been released: https://github.com/golang/go/releases/tag/go1.21.3 🎉

[mholt]

The build server was updated a few minutes ago so running caddy upgrade will patch you. We'll issue a new release in a little while.

Thank you @neild for the attention and the quick fix!

[chris-short]

Great work all, thank you