CVE-2023-44487

About vulnerability

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Affected product:

AlmaLinux 9.2 ESU , Alpine Linux 3.18 ELS , Alpine Linux 3.22 , Alpine Linux 3.23 , Amazon Linux 2 ELS , Apache ActiveMQ , Apache CXF , Apache Hadoop , Apache Hive , Apache Kafka , Apache Log4j , Apache Lucene , Apache Solr , Apache Spark , Apache Tapestry , Apache Tomcat , Azure/azure-event-hubs-go , Azure/azure-pipeline-go , Azure/azure-sdk-for-go/sdk/azcore , Azure/azure-sdk-for-go/sdk/azidentity , Azure/azure-sdk-for-go/sdk/internal , Azure/azure-storage-blob-go , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 6 ELS , CloudLinux 7 ELS , Debian 10 , Debian 10 ELS , Debian 11 , Debian 12 , Debian 13 , EL 10 , EL 7 , EL 8 , EL 9 , Eclipse Jetty , Grafana , Hibernate , Joker/hpp , Loki , MinIO , Netty , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , Spring , TuxCare 9.6 ESU , Ubuntu 16.04 , Ubuntu 16.04 ELS , Ubuntu 18.04 , Ubuntu 18.04 ELS , Ubuntu 20.04 , Ubuntu 20.04 ELS , Ubuntu 22.04 , Ubuntu 24.04 , Wildfly , WireGuard/wgctrl-go/wgctrl , accumulo , activemq , agepredictor , apache-el , apache-jsp , apache/arrow , apache/arrow/go/arrow , artemis , async-http-client , avro , aws-sdk-java , aws/aws-sdk-go , aws/aws-sdk-go-v2 , azure-sdk-for-java , bketelsen/crypt , bookkeeper-common-allocator , camel , cassandra-java-driver , census-instrumentation/opencensus-go , centrifugal/centrifuge , cloud.google.com/go , cloud.google.com/go/bigquery , cloud.google.com/go/firestore , cortexproject/cortex , couchbase-jvm-clients , cue.gerrithub/cue-lang/cue , cuelang.org/go , dgraph-io/badger , dhui/dktest , digitalocean/godo , druid , elastic/apm-agent-go/module/apmhttp , elastic/apm-agent-go/module/apmot , elasticsearch , ema/qdisc , etcd-io/etcd , etcd-io/etcd/server , flume-ng-sdk , getsentry/sentry-go , gin-gonic/gin , github.com/Azure/azure-event-hubs-go , github.com/Azure/azure-pipeline-go , github.com/Azure/azure-sdk-for-go/sdk/azcore , github.com/Azure/azure-sdk-for-go/sdk/azidentity , github.com/Azure/azure-sdk-for-go/sdk/internal , github.com/Azure/azure-storage-blob-go , github.com/Joker/hpp , github.com/Shopify/sarama , github.com/apache/arrow/go/arrow , github.com/aws/aws-sdk-go , github.com/aws/aws-sdk-go-v2 , github.com/bketelsen/crypt , github.com/centrifugal/centrifuge , github.com/cortexproject/cortex , github.com/deepmap/oapi-codegen , github.com/dgraph-io/badger , github.com/dhui/dktest , github.com/digitalocean/godo , github.com/ema/qdisc , github.com/getsentry/sentry-go , github.com/gin-gonic/gin , github.com/glinton/ping , github.com/go-kit/kit , github.com/go-openapi/analysis , github.com/go-openapi/jsonreference , github.com/go-openapi/loads , github.com/go-openapi/runtime , github.com/go-openapi/spec , github.com/go-openapi/validate , github.com/gogo/protobuf , github.com/golang-migrate/migrate , github.com/golang/mock , github.com/golang/protobuf , github.com/google/go-github , github.com/grafana/grafana-plugin-sdk-go , github.com/grpc-ecosystem/go-grpc-middleware , github.com/grpc-ecosystem/go-grpc-prometheus , github.com/grpc-ecosystem/grpc-gateway , github.com/hashicorp/consul , github.com/hashicorp/consul/api , github.com/hashicorp/go-discover , github.com/hashicorp/go-plugin , github.com/hashicorp/mdns , github.com/hashicorp/memberlist , github.com/hashicorp/serf , github.com/influxdata/flux , github.com/influxdata/influxdb , github.com/influxdata/influxdb-client-go , github.com/influxdata/telegraf , github.com/iris-contrib/jade , github.com/jaegertracing/jaeger , github.com/jcmturner/gokrb5 , github.com/jcmturner/rpc , github.com/jhump/protoreflect , github.com/jsimonetti/rtnetlink , github.com/kataras/iris , github.com/lightstep/lightstep-tracer-common/golang/gogo , github.com/lightstep/lightstep-tracer-go , github.com/mattn/go-ieproxy , github.com/mdlayher/genetlink , github.com/mdlayher/netlink , github.com/microcosm-cc/bluemonday , github.com/miekg/dns , github.com/onsi/ginkgo , github.com/onsi/gomega , github.com/opentracing-contrib/go-grpc , github.com/openzipkin-contrib/zipkin-go-opentracing , github.com/openzipkin/zipkin-go , github.com/prometheus/alertmanager , github.com/prometheus/client_golang , github.com/prometheus/common , github.com/prometheus/node_exporter , github.com/prometheus/prometheus , github.com/securego/gosec , github.com/soheilhy/cmux , github.com/spf13/cobra , github.com/spf13/viper , github.com/thanos-io/thanos , github.com/valyala/fasthttp , github.com/weaveworks/common , github.com/xanzy/go-gitlab , glinton/ping , go-kit/kit , go-openapi/analysis , go-openapi/jsonreference , go-openapi/loads , go-openapi/runtime , go-openapi/spec , go-openapi/validate , go.elastic.co/apm/module/apmhttp , go.elastic.co/apm/module/apmot , go.etcd.io/etcd , go.etcd.io/etcd/server , go.opencensus.io , go.opentelemetry.io/collector , gogo/protobuf , golang-migrate/migrate , golang.org/x/crypto , golang.org/x/mod , golang.org/x/net , golang.org/x/oauth2 , golang.org/x/tools , golang.zx2c4.com/wireguard , golang.zx2c4.com/wireguard/wgctrl , golang/appengine , golang/mock , golang/protobuf , google.golang.org/api , google.golang.org/appengine , google.golang.org/genproto , google.golang.org/grpc , google.golang.org/protobuf , googleapis/go-genproto , googleapis/google-api-go-client , googleapis/google-cloud-go , googleapis/google-cloud-go/bigquery , googleapis/google-cloud-go/firestore , googlesource/crypto , googlesource/mod , googlesource/net , googlesource/oauth2 , googlesource/protobuf , googlesource/tools , gopkg.in/macaron.v1 , gradle , grafana/grafana-plugin-sdk-go , grpc-api , grpc-context , grpc-core , grpc-ecosystem/go-grpc-middleware , grpc-ecosystem/go-grpc-prometheus , grpc-ecosystem/grpc-gateway , grpc-java , grpc-netty , grpc-protobuf , grpc-protobuf-lite , grpc/grpc-go , hashicorp/consul , hashicorp/consul/api , hashicorp/go-discover , hashicorp/go-plugin , hashicorp/mdns , hashicorp/memberlist , hashicorp/serf , hbase , htmlunit , http-client , infinispan , influxdata/flux , influxdata/influxdb , influxdata/influxdb-client-go , influxdata/telegraf , iris-contrib/jade , jaegertracing/jaeger , jasper-jsp , java-datastore , java-driver , java-storage , jcmturner/gokrb5 , jcmturner/rpc , jersey , jgit , jhump/protoreflect , jsimonetti/rtnetlink , k8s.io/api , k8s.io/apimachinery , k8s.io/client-go , k8s.io/kube-openapi , karaf , kataras/iris , kubernetes/api , kubernetes/apimachinery , kubernetes/client-go , kubernetes/kube-openapi , lettuce , lettuce-core , lightstep/lightstep-tracer-common/golang/gogo , lightstep/lightstep-tracer-go , littleproxy , logging-flume , mattn/go-ieproxy , mdlayher/genetlink , mdlayher/netlink , microcosm-cc/bluemonday , miekg/dns , neo4j-java-driver , neo4j-ogm , netty , olingo-odata4 , onsi/ginkgo , onsi/gomega , open-telemetry/opentelemetry-collector , opentracing-contrib/go-grpc , openzipkin-contrib/zipkin-go-opentracing , openzipkin/zipkin-go , prometheus/alertmanager , prometheus/client_golang , prometheus/common , prometheus/node_exporter , prometheus/prometheus , pulsar , rabbitmq-stream-java-client , rsocket-java , securego/gosec , soheilhy/cmux , sonatype-aether , spf13/cobra , spf13/viper , thanos-io/thanos , thrift , tika , valyala/fasthttp , weaveworks/common , wildfly , xanzy/go-gitlab , zookeeper , zx2c4/wireguard-go

Affected packages:

jetty.project @ 9.4.48.v20220622 (+15597 more)

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.