MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
Released: Oct 10, 2023
Last updated: Dec 10, 2024
- Assigning CNA
- MITRE Corporation
- CVE.org link
- CVE-2023-44487
- Impact
- Denial of Service
- Max Severity
- Important
- Weakness
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- Yes
- Exploitability assessment
- Exploitation Detected
Workarounds
The following workarounds might be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave either of these workarounds in place:
Disable the HTTP/2 protocol on your web server by using the Registry Editor
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.
- Click Start, click Run, type Regedit in the Open box, and then click OK.
- Locate and then click the following registry subkey:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters - Set DWORD type values
EnableHttp2TlsandEnableHttp2Cleartextto one of the following:- Set to 0 to disable HTTP/2
- Set to 1 to enable HTTP/2
- Exit Registry Editor.
- Restart the computer.
Include a protocols setting for each Kestrel endpoint to limit your application to HTTP1.1
For .NET and Kestrel, servers without HTTP/2 enabled are not affected. To limit your application to HTTP1.1 via config, edit your appsettings.json to include a protocols setting for each endpoint:
"Kestrel": {
"Endpoints": {
"http": {
// your existing config
"Protocols": "Http1"
},
"https": {
// your existing config
"Protocols": "Http1"
}
}
}
```
Acknowledgements
- Amazon, Cloudflare, and Google
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
- 10.0.14393.6351
- 10.0.14393.6351
- 10.0.14393.6351
- 10.0.19045.3570
- 10.0.19045.3570
- 10.0.19045.3570
- 10.0.22621.2428
- 10.0.22621.2428
- 10.0.19044.3570
- 10.0.19044.3570
- 10.0.19044.3570
- 10.0.22000.2538
- 10.0.22000.2538
- 10.0.20348.2031
- 10.0.17763.4974
- 10.0.17763.4974
- 10.0.17763.4974
- 10.0.17763.4974
- 17.7.6
- 17.6.9
- 17.4.13
- 17.2.21
Disclaimer
Revisions
To comprehensively address CVE-2023-44487, Microsoft released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio.
Microsoft recommends that customers running any of these products install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
Updated product information in the Software Update table. This is an informational change only.
In the Workarounds section, corrected the font for the DWORD values "EnableHttp2Tls" (TLS as in Transport Layer Security) and EnableHttp2Cleartext for readability. Note that the "I" should be interpreted as "L" and not an "i".
In the Security Updates table, corrected Article links for ASP.NET Core 6.0 and ASP.NET Core 7.0. This is an informational change only.
Information published.