Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations

[Steffen Nurpmeso <steffen () sdaoden eu>]

Jonathan Wright wrote in
 <CAKe4=-L2udnhRQ7EVOMihrExiYUVoor3E0+FbNxvZ8iB=pyQ1w () mail gmail com>:

[i resort a bit]

 |On Tue, Oct 10, 2023 at 2:23 PM Moritz Muehlenhoff <jmm () inutil org> wrote:
 |> On Tue, Oct 10, 2023 at 11:40:06AM -0700, Alan Coopersmith wrote:
 |>> Information I've found so far on open source implementations (most via
 |> the
 |>> current listings in the CVE) include:
 |>
 |> Apache Trafficserver is also affected:
 |> https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q

 |OpenLitespeed is not impacted:
 |https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/

It did not really surprise me that Glenn Strauss, the wonderful
developer of the lighttpd that i use for eight years, had to go
like this (i hope he does not mind i quote #lighttpd here):

  ...
  01:45 < gps> [..]No, I did not have prior knowledge.
  ...
  02:20 < gps> Confirmed: while all web servers implementing
    HTTP/2 are exposed to the attack in CVE-2023-44487, the way each
    web server software processes HTTP/2 affects the size of the
    impact of the attack.  With lighttpd, the impact is largely
    limited to the CPU usage parsing the HTTP/2 HEADERS frame,
    including HPACK decoding.
  ...
  03:58 < gps> To be clear, the attack still causes lighttpd to
    use more resources, but the amplification of resource
    commitment is constrained in lighttpd due to the design
    choices made for lighttpd HTTP/2.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)