Early Access — Mondoo Vulnerability Intelligence is currently in preview.

UBUNTU-CVE-2023-44487 | Mondoo Vulnerability Intelligence

UBUNTU-CVE-2023-44487

HIGH7.5

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Published Oct 10, 2023

Modified 7 months ago

Fix available

Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Affected Packages

Ubuntu:22.04:LTSdotnet6

Affected versions:

6.0.108-0ubuntu1~22.04.16.0.109-0ubuntu1~22.04.16.0.110-0ubuntu1~22.04.16.0.111-0ubuntu1~22.04.16.0.113-0ubuntu1~22.04.16.0.116-0ubuntu1~22.04.16.0.118-0ubuntu1~22.04.16.0.119-0ubuntu1~22.04.16.0.120-0ubuntu1~22.04.16.0.121-0ubuntu1~22.04.1+1 more

Fixed in:

6.0.123-0ubuntu1~22.04.1

Ubuntu:22.04:LTSdotnet7

Affected versions:

7.0.105-0ubuntu1~22.04.17.0.107-0ubuntu1~22.04.17.0.108-0ubuntu1~22.04.17.0.109-0ubuntu1~22.04.17.0.110-0ubuntu1~22.04.17.0.111-0ubuntu1~22.04.1

Fixed in:

7.0.112-0ubuntu1~22.04.1

Ubuntu:24.04:LTSdotnet8

Affected versions:

8.0.100-8.0.0~rc1-0ubuntu18.0.100-8.0.0~rc2-0ubuntu18.0.100-8.0.0~rc2-0ubuntu2

Fixed in:

8.0.100-8.0.0-0ubuntu1

Ubuntu:22.04:LTSdotnet8

Fixed in:

8.0.102-8.0.2-0ubuntu1~22.04.1

Ubuntu:22.04:LTSh2o

Affected versions:

2.2.5+dfsg2-62.2.5+dfsg2-6.12.2.5+dfsg2-6.1ubuntu1

Fixed in:

2.2.5+dfsg2-6.1ubuntu2

Ubuntu:Pro:18.04:LTSh2o

Affected versions:

2.2.3+dfsg-22.2.4+dfsg-12.2.4+dfsg-1build1

Fixed in:

2.2.4+dfsg-1ubuntu0.1~esm2

Ubuntu:24.10h2o

Fixed in:

2.2.5+dfsg2-8.1ubuntu3

Ubuntu:25.04h2o

Affected versions:

2.2.5+dfsg2-11~build2.2.5+dfsg2-8.1ubuntu3

Fixed in:

2.2.5+dfsg2-11

Ubuntu:20.04:LTSh2o

Affected versions:

2.2.5+dfsg2-3

Fixed in:

2.2.5+dfsg2-3build1

Ubuntu:24.04:LTSh2o

Affected versions:

2.2.5+dfsg2-72.2.5+dfsg2-82.2.5+dfsg2-8.1ubuntu12.2.5+dfsg2-8.1ubuntu2

Fixed in:

2.2.5+dfsg2-8.1ubuntu3

Ubuntu:20.04:LTShaproxy

Affected versions:

2.0.10-12.0.10-1ubuntu12.0.11-1ubuntu12.0.12-1ubuntu22.0.13-1ubuntu22.0.13-22.0.13-2ubuntu0.12.0.13-2ubuntu0.22.0.13-2ubuntu0.32.0.13-2ubuntu0.5+7 more

Fixed in:

2.0.31-0ubuntu0.2

Ubuntu:24.04:LTShaproxy

Fixed in:

2.6.15-1ubuntu2

Ubuntu:22.04:LTShaproxy

Affected versions:

2.2.9-2ubuntu22.4.11-1ubuntu12.4.12-1ubuntu12.4.12-1ubuntu22.4.13-1ubuntu12.4.14-1ubuntu12.4.18-0ubuntu12.4.18-0ubuntu1.12.4.18-0ubuntu1.22.4.18-0ubuntu1.3+3 more

Fixed in:

2.4.22-0ubuntu0.22.04.2

Ubuntu:18.04:LTShaproxy

Affected versions:

1.7.9-1ubuntu11.7.9-1ubuntu21.8.4-11.8.7-11.8.8-11.8.8-1ubuntu0.11.8.8-1ubuntu0.101.8.8-1ubuntu0.111.8.8-1ubuntu0.131.8.8-1ubuntu0.13+esm2+7 more

Ubuntu:Pro:18.04:LTShaproxy

Affected versions:

1.7.9-1ubuntu11.7.9-1ubuntu21.8.4-11.8.7-11.8.8-11.8.8-1ubuntu0.11.8.8-1ubuntu0.101.8.8-1ubuntu0.111.8.8-1ubuntu0.131.8.8-1ubuntu0.13+esm2+7 more

Fixed in:

1.8.8-1ubuntu0.13+esm3

Ubuntu:24.04:LTSnetty

Affected versions:

1:4.1.48-7

Fixed in:

1:4.1.48-8

Ubuntu:22.04:LTSnetty

Affected versions:

1:4.1.48-41:4.1.48-4+deb11u1build0.22.04.1

Fixed in:

1:4.1.48-4+deb11u2build0.22.04.1

Ubuntu:16.04:LTSnghttp2

Affected versions:

0.6.7-11.3.4-21.4.0-11.4.0-21.5.0-21.6.0-11.7.0-11.7.1-11.7.1-1ubuntu0.1~esm1

Ubuntu:24.04:LTSnghttp2

Affected versions:

1.55.1-11.57.0-1

Fixed in:

1.58.0-1

Ubuntu:22.04:LTSnghttp2

Affected versions:

1.43.0-11.43.0-1build11.43.0-1build21.43.0-1build3

Fixed in:

1.43.0-1ubuntu0.1

Ubuntu:Pro:16.04:LTSnghttp2

Affected versions:

0.6.7-11.3.4-21.4.0-11.4.0-21.5.0-21.6.0-11.7.0-11.7.1-11.7.1-1ubuntu0.1~esm1

Fixed in:

1.7.1-1ubuntu0.1~esm2

Ubuntu:20.04:LTSnghttp2

Affected versions:

1.39.2-11.40.0-11.40.0-1build11.40.0-1ubuntu0.1

Fixed in:

1.40.0-1ubuntu0.2

Ubuntu:Pro:18.04:LTSnghttp2

Affected versions:

1.25.0-11.27.0-11.28.0-11.29.0-11.29.0-1build11.30.0-11.30.0-1ubuntu11.30.0-1ubuntu1+esm1

Fixed in:

1.30.0-1ubuntu1+esm2

Ubuntu:22.04:LTSnodejs

Affected versions:

12.22.5~dfsg-5ubuntu112.22.7~dfsg-2ubuntu112.22.7~dfsg-2ubuntu312.22.9~dfsg-1ubuntu212.22.9~dfsg-1ubuntu312.22.9~dfsg-1ubuntu3.112.22.9~dfsg-1ubuntu3.212.22.9~dfsg-1ubuntu3.312.22.9~dfsg-1ubuntu3.412.22.9~dfsg-1ubuntu3.5+1 more

Ubuntu:Pro:20.04:LTSnodejs

Affected versions:

10.15.2~dfsg-2ubuntu110.17.0~dfsg-2ubuntu410.17.0~dfsg-2ubuntu610.19.0~dfsg-3ubuntu110.19.0~dfsg-3ubuntu1.110.19.0~dfsg-3ubuntu1.210.19.0~dfsg-3ubuntu1.310.19.0~dfsg-3ubuntu1.510.19.0~dfsg-3ubuntu1.6

Fixed in:

10.19.0~dfsg-3ubuntu1.6+esm2

Ubuntu:Pro:22.04:LTSnodejs

Affected versions:

12.22.5~dfsg-5ubuntu112.22.7~dfsg-2ubuntu112.22.7~dfsg-2ubuntu312.22.9~dfsg-1ubuntu212.22.9~dfsg-1ubuntu312.22.9~dfsg-1ubuntu3.112.22.9~dfsg-1ubuntu3.212.22.9~dfsg-1ubuntu3.312.22.9~dfsg-1ubuntu3.412.22.9~dfsg-1ubuntu3.5+1 more

Fixed in:

12.22.9~dfsg-1ubuntu3.6+esm2

Ubuntu:24.10nodejs

Affected versions:

18.19.1+dfsg-6ubuntu518.20.1+dfsg-4ubuntu420.13.1+dfsg-2ubuntu620.14.0+dfsg-1ubuntu120.14.0+dfsg-2ubuntu120.14.0+dfsg-3ubuntu120.15.0+dfsg-1ubuntu3

Fixed in:

20.16.0+dfsg-1ubuntu1

Ubuntu:25.04nodejs

Affected versions:

20.16.0+dfsg-1ubuntu120.17.0+dfsg-2ubuntu120.18.0+dfsg-220.18.1+dfsg-1ubuntu1

Fixed in:

20.18.1+dfsg-1ubuntu2

Ubuntu:24.04:LTSnodejs

Affected versions:

18.13.0+dfsg1-1ubuntu218.19.1+dfsg-2ubuntu418.19.1+dfsg-6ubuntu118.19.1+dfsg-6ubuntu2

Fixed in:

18.19.1+dfsg-6ubuntu5

Ubuntu:Pro:18.04:LTSnodejs

Affected versions:

6.11.4~dfsg-1ubuntu16.11.4~dfsg-1ubuntu26.12.0~dfsg-1ubuntu16.12.0~dfsg-2ubuntu16.12.0~dfsg-2ubuntu28.10.0~dfsg-28.10.0~dfsg-2ubuntu0.28.10.0~dfsg-2ubuntu0.38.10.0~dfsg-2ubuntu0.48.10.0~dfsg-2ubuntu0.4+esm1+4 more

Fixed in:

8.10.0~dfsg-2ubuntu0.4+esm6

Ubuntu:24.10tomcat10

Affected versions:

10.1.16-1

Fixed in:

10.1.23-1

Ubuntu:Pro:18.04:LTStomcat8

Affected versions:

8.5.21-1ubuntu18.5.29-18.5.30-18.5.30-1ubuntu18.5.30-1ubuntu1.28.5.30-1ubuntu1.38.5.30-1ubuntu1.48.5.39-1ubuntu1~18.04.18.5.39-1ubuntu1~18.04.28.5.39-1ubuntu1~18.04.3+3 more

Fixed in:

8.5.39-1ubuntu1~18.04.3+esm4

Ubuntu:22.04:LTStomcat9

Affected versions:

9.0.43-39.0.54-19.0.55-19.0.58-19.0.58-1ubuntu0.1

Fixed in:

9.0.58-1ubuntu0.2

Ubuntu:25.04tomcat9

Fixed in:

9.0.70-2ubuntu1.1

Ubuntu:20.04:LTStomcat9

Affected versions:

9.0.24-19.0.27-19.0.31-19.0.31-1ubuntu0.19.0.31-1ubuntu0.29.0.31-1ubuntu0.39.0.31-1ubuntu0.49.0.31-1ubuntu0.59.0.31-1ubuntu0.69.0.31-1ubuntu0.7+1 more

Fixed in:

9.0.31-1ubuntu0.9

Ubuntu:24.10tomcat9

Affected versions:

9.0.70-2

Fixed in:

9.0.70-2ubuntu1.1

Ubuntu:Pro:18.04:LTStomcat9

Affected versions:

9.0.16-3ubuntu0.18.04.19.0.16-3ubuntu0.18.04.29.0.16-3ubuntu0.18.04.2+esm19.0.16-3ubuntu0.18.04.2+esm29.0.16-3ubuntu0.18.04.2+esm39.0.16-3ubuntu0.18.04.2+esm49.0.16-3~18.04.1

Fixed in:

9.0.16-3ubuntu0.18.04.2+esm5

Ubuntu:Pro:20.04:LTStrafficserver

Affected versions:

8.0.5+ds-18.0.5+ds-28.0.5+ds-2build18.0.5+ds-2ubuntu18.0.5+ds-3

Fixed in:

8.0.5+ds-3ubuntu0.1~esm1

Ubuntu:24.04:LTStrafficserver

Affected versions:

9.2.1+ds-1build19.2.2+ds-19.2.3+ds-19.2.3+ds-1+deb12u19.2.3+ds-1+deb12u1build19.2.3+ds-1+deb12u1build3

Fixed in:

9.2.3+ds-1+deb12u1build4

Ubuntu:Pro:22.04:LTStrafficserver

Affected versions:

8.1.1+ds-1.19.1.1+ds-2build1

Fixed in:

9.1.1+ds-2ubuntu0.1~esm1

Ubuntu:25.04trafficserver

Affected versions:

9.2.4+ds-29.2.5+ds-1

Fixed in:

9.2.5+ds-1ubuntu1

Ubuntu:22.04:LTStrafficserver

Affected versions:

8.1.1+ds-1.19.1.1+ds-2build1

Ubuntu:24.10trafficserver

Affected versions:

9.2.3+ds-1+deb12u1build4

Fixed in:

9.2.4+ds-2

References

REPORThttps://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/REPORThttps://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/REPORThttps://devblogs.microsoft.com/dotnet/october-2023-updates/REPORThttps://github.com/nghttp2/nghttp2/releases/tag/v1.57.0 REPORThttps://groups.google.com/g/golang-announce/c/iNNxDTCjZvo REPORThttps://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q REPORThttps://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html REPORThttps://my.f5.com/manage/s/article/K000137106 REPORThttps://nodejs.org/en/blog/vulnerability/october-2023-security-releases REPORThttps://tomcat.apache.org/security-8.html REPORThttps://ubuntu.com/security/CVE-2023-44487 REPORThttps://ubuntu.com/security/notices/USN-6427-1 REPORThttps://ubuntu.com/security/notices/USN-6427-2 REPORThttps://ubuntu.com/security/notices/USN-6438-1 REPORThttps://ubuntu.com/security/notices/USN-6505-1 REPORThttps://ubuntu.com/security/notices/USN-6574-1 REPORThttps://ubuntu.com/security/notices/USN-6754-1 REPORThttps://ubuntu.com/security/notices/USN-6994-1 REPORThttps://ubuntu.com/security/notices/USN-7067-1 REPORThttps://ubuntu.com/security/notices/USN-7410-1 REPORThttps://ubuntu.com/security/notices/USN-7469-1 REPORThttps://ubuntu.com/security/notices/USN-7469-2 REPORThttps://ubuntu.com/security/notices/USN-7469-3 REPORThttps://ubuntu.com/security/notices/USN-7469-4 REPORThttps://www.cisa.gov/known-exploited-vulnerabilities-catalog REPORThttps://www.cve.org/CVERecord?id=CVE-2023-44487 REPORThttps://www.mail-archive.com/haproxy@formilux.org/msg44134.html REPORThttps://www.mail-archive.com/haproxy@formilux.org/msg44134.html REPORThttps://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

CVSS Analysis

CVSS v3.1

7.5

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

Scope

UnchangedS:U

Impact

Confidentiality

NoneC:N

Integrity

NoneI:N

Availability

HighA:H

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Related

CVE-2023-44487 USN-6427-1 USN-6427-2 USN-6438-1 USN-6505-1 USN-6574-1 USN-6754-1 USN-6994-1 USN-7067-1 USN-7410-1 USN-7469-1 USN-7469-2 USN-7469-3 USN-7469-4

Ecosystems

Ubuntu 22.04 LTS Ubuntu 24.04 LTS Ubuntu Pro 18.04 LTS Ubuntu 24.10 Ubuntu 25.04 Ubuntu 20.04 LTS Ubuntu 18.04 LTS Ubuntu 16.04 LTS Ubuntu Pro 16.04 LTS Ubuntu Pro 20.04 LTS Ubuntu Pro 22.04 LTS

Timeline

PublishedOct 10, 2023

ModifiedJun 3, 2025