CVE-2023-44487

About vulnerability

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Affected product:

AlmaLinux 9.2 ESU , Alpine Linux 3.18 ELS , Alpine Linux 3.22 , Amazon Linux 2 ELS , Apache ActiveMQ , Apache Hadoop , Apache Hive , Apache Kafka , Apache Lucene , Apache Spark , Apache Tapestry , Apache Tomcat , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 6 ELS , CloudLinux 7 ELS , Debian 10 , Debian 10 ELS , Debian 11 , Debian 12 , Debian 13 , EL 10 , EL 7 , EL 8 , EL 9 , Eclipse Jetty , Grafana , Hibernate , Loki , Netty , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , Spring , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 , Ubuntu 18.04 ELS , Ubuntu 20.04 , Ubuntu 20.04 ELS , Ubuntu 22.04 , Ubuntu 24.04 , accumulo , activemq , agepredictor , apache-el , apache-jsp , artemis , async-http-client , avro , aws-sdk-java , azure-sdk-for-java , bookkeeper-common-allocator , cassandra-java-driver , cloud.google.com/go , cloud.google.com/go/bigquery , cloud.google.com/go/firestore , couchbase-jvm-clients , cuelang.org/go , cxf , druid , elasticsearch , flume-ng-sdk , github.com/Azure/azure-event-hubs-go , github.com/Azure/azure-pipeline-go , github.com/Azure/azure-sdk-for-go/sdk/azcore , github.com/Azure/azure-sdk-for-go/sdk/azidentity , github.com/Azure/azure-sdk-for-go/sdk/internal , github.com/Azure/azure-storage-blob-go , github.com/Joker/hpp , github.com/Shopify/sarama , github.com/apache/arrow/go/arrow , github.com/aws/aws-sdk-go , github.com/aws/aws-sdk-go-v2 , github.com/bketelsen/crypt , github.com/centrifugal/centrifuge , github.com/cortexproject/cortex , github.com/deepmap/oapi-codegen , github.com/dgraph-io/badger , github.com/dhui/dktest , github.com/digitalocean/godo , github.com/ema/qdisc , github.com/getsentry/sentry-go , github.com/gin-gonic/gin , github.com/glinton/ping , github.com/go-kit/kit , github.com/go-openapi/analysis , github.com/go-openapi/jsonreference , github.com/go-openapi/loads , github.com/go-openapi/runtime , github.com/go-openapi/spec , github.com/go-openapi/validate , github.com/gogo/protobuf , github.com/golang-migrate/migrate , github.com/golang/mock , github.com/golang/protobuf , github.com/google/go-github , github.com/grafana/grafana-plugin-sdk-go , github.com/grpc-ecosystem/go-grpc-middleware , github.com/grpc-ecosystem/go-grpc-prometheus , github.com/grpc-ecosystem/grpc-gateway , github.com/hashicorp/consul , github.com/hashicorp/consul/api , github.com/hashicorp/go-discover , github.com/hashicorp/go-plugin , github.com/hashicorp/mdns , github.com/hashicorp/memberlist , github.com/hashicorp/serf , github.com/influxdata/flux , github.com/influxdata/influxdb , github.com/influxdata/influxdb-client-go , github.com/influxdata/telegraf , github.com/iris-contrib/jade , github.com/jaegertracing/jaeger , github.com/jcmturner/gokrb5 , github.com/jcmturner/rpc , github.com/jhump/protoreflect , github.com/jsimonetti/rtnetlink , github.com/kataras/iris , github.com/lightstep/lightstep-tracer-common/golang/gogo , github.com/lightstep/lightstep-tracer-go , github.com/mattn/go-ieproxy , github.com/mdlayher/genetlink , github.com/mdlayher/netlink , github.com/microcosm-cc/bluemonday , github.com/miekg/dns , github.com/minio/minio-go , github.com/onsi/ginkgo , github.com/onsi/gomega , github.com/opentracing-contrib/go-grpc , github.com/openzipkin-contrib/zipkin-go-opentracing , github.com/openzipkin/zipkin-go , github.com/prometheus/alertmanager , github.com/prometheus/client_golang , github.com/prometheus/common , github.com/prometheus/node_exporter , github.com/prometheus/prometheus , github.com/securego/gosec , github.com/soheilhy/cmux , github.com/spf13/cobra , github.com/spf13/viper , github.com/thanos-io/thanos , github.com/valyala/fasthttp , github.com/weaveworks/common , github.com/xanzy/go-gitlab , go.elastic.co/apm/module/apmhttp , go.elastic.co/apm/module/apmot , go.etcd.io/etcd , go.etcd.io/etcd/server , go.opencensus.io , go.opentelemetry.io/collector , golang.org/x/crypto , golang.org/x/mod , golang.org/x/net , golang.org/x/oauth2 , golang.org/x/tools , golang.zx2c4.com/wireguard , golang.zx2c4.com/wireguard/wgctrl , google.golang.org/api , google.golang.org/appengine , google.golang.org/genproto , google.golang.org/grpc , google.golang.org/protobuf , gopkg.in/macaron.v1 , gradle , grpc-api , grpc-context , grpc-core , grpc-java , grpc-netty , grpc-protobuf , grpc-protobuf-lite , hbase , htmlunit , http-client , infinispan , jasper-jsp , java-datastore , java-driver , java-storage , jersey , jgit , k8s.io/api , k8s.io/apimachinery , k8s.io/client-go , k8s.io/kube-openapi , karaf , lettuce , lettuce-core , littleproxy , logging-flume , logging-log4j2 , lucene , neo4j-java-driver , neo4j-ogm , netty , pulsar , rsocket-java , solr , sonatype-aether , thrift , tika , wildfly , zookeeper

Affected packages:

netty-microbench @ 4.1.75.Final (+6706 more)

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.