Tarah Wheeler :donor: on Nostr: My TL;DR on the new CVE 2023-44487 vuln. There doesn't appear to be an actually good ...
My TL;DR on the new CVE 2023-44487 vuln.
There doesn't appear to be an actually good breakdown out there yet of this HTTP/2 vuln based around session resets. Even though it looks like AWS and Cloudflare did their jobs and patched, their blogs seem to have been thoroughly lawyered into corpspeak instead of being useful.
So I read the mitigation, which is found below. See line 479. This vuln is about the number of session resets permitted, and the fact that there wasn't a rate limit on them before now. At scale that permitted DDoS if infra wasn't behind Cloudflare or similar.
The mitigation looks like adding a rate limit to session resets; it's the few lines of code starting at 479, and the checks/improvements around that.
This is where it gets fixed:
"nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim,"
OTOH this is C code with a major vuln that isn't related to memory unsafety, so huzzah, I guess?
Patch HTTP/2. Continue Tuesdaying like a boss.
https://github.com/nghttp2/nghttp2/pull/1961/files
There doesn't appear to be an actually good breakdown out there yet of this HTTP/2 vuln based around session resets. Even though it looks like AWS and Cloudflare did their jobs and patched, their blogs seem to have been thoroughly lawyered into corpspeak instead of being useful.
So I read the mitigation, which is found below. See line 479. This vuln is about the number of session resets permitted, and the fact that there wasn't a rate limit on them before now. At scale that permitted DDoS if infra wasn't behind Cloudflare or similar.
The mitigation looks like adding a rate limit to session resets; it's the few lines of code starting at 479, and the checks/improvements around that.
This is where it gets fixed:
"nghttp2_ratelim_init(&(*session_ptr)->stream_reset_ratelim,"
OTOH this is C code with a major vuln that isn't related to memory unsafety, so huzzah, I guess?
Patch HTTP/2. Continue Tuesdaying like a boss.
https://github.com/nghttp2/nghttp2/pull/1961/files