HTTP/2 Rapid Reset - Zero-Day Vulnerability

liamgibbins · October 12, 2023, 6:34am

HTTP/2 Zero-Day Vulnerabilit

eris · October 12, 2023, 7:24am

eris · October 12, 2023, 7:26am

So far I can see we use for keepalive_requests 10 000 instead of 1000

sahsanu · October 12, 2023, 8:26am

For all that want to change keepalive_requests from 10000 to 1000 to mitigate the vulnerability:

sed -i -E 's/(.*keepalive_requests\s{1,})10000;/\11000;/' /etc/nginx/nginx.conf /usr/local/hestia/nginx/conf/nginx.conf
systemctl restart nginx
systemctl restart hestia

Here is a gist that centralizes the most relevant public sources of information related to the HTTP/2 Rapid Reset vulnerability.

gist.github.com

https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088

http2-rapid-reset-ddos-attack.md

# Introduction

This Gist aims to centralise the most relevant public sources of information related to the [HTTP/2](https://datatracker.ietf.org/doc/html/rfc7540) Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.

Please help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.

# References

- [CVE-2023-44487](https://cvepremium.circl.lu/cve/CVE-2023-44487), CIRCL CVE Search
- [How AWS protects customers from DDoS events](https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/), AWS

This file has been truncated. show original

eris · October 12, 2023, 8:33am

Thanks for not having to create the sed