Find and fix HTTP/2 rapid reset zero-day vulnerability CVE-2023-44487

Researchers and vendors have conducted an investigation into volumetric DDoS attacks in the wild between August – October 2023 that has resulted in the discovery of a novel “rapid reset” technique that leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol.

研究人员和供应商对 2023 年 8 月至 10 月期间的大规模 DDoS 攻击进行了调查，结果发现了一种新颖的“快速重置”技术，该技术利用流复用（广泛采用的 HTTP/2 协议的一项功能）。

Disclosed today, the HTTP/2 rapid reset vulnerability is being tracked as CVE-2023-44487and has been designated a High severity vulnerability with a CVSS score of 7.5 (out of 10).

今天披露的 HTTP/2 快速重置漏洞被跟踪为 CVE-2023-44487，并被指定为高严重性漏洞，CVSS 评分为 7.5（满分 10）。

The vulnerability is believed to impact every web server implementing HTTP/2 and carries the potential for extremely large volumetric DDoS attacks if exploited. If you are impacted by this CVE in an application or operating system package AND that package is present in an application deployed with internet access, please consider:

该漏洞被认为会影响每个实施 HTTP/2 的 Web 服务器，并且如果被利用，可能会造成极大的 DDoS 攻击。如果您在应用程序或操作系统包中受到此 CVE 的影响，并且该包存在于通过 Internet 访问部署的应用程序中，请考虑：

• Checking with your infrastructure and/or CDN provider (e.g. Cloudflare, Google Cloud, AWS, Akamai) to ensure you're mitigated from this vulnerability.

• 请与您的基础设施和/或 CDN 提供商（例如 Cloudflare、Google Cloud、AWS、Akamai）核实，以确保您免受此漏洞的影响。

• Upgrading the package if a remediation is available. For some packages, remediated versions have already been published.

• 如果有可用的补救措施，则升级软件包。对于某些软件包，已发布修复版本。

Snyk is not impacted by this vulnerability

Snyk 不受此漏洞影响

All externally accessible Snyk services are protected, being hosted either behind Akamai or cloud load balancers which have previously been mitigated.

所有外部可访问的 Snyk 服务都受到保护，托管在 Akamai 或云负载均衡器后面，而这些服务之前已得到缓解。

Mitigation via infrastructure provider

通过基础设施提供商缓解

It is first recommended that organizations apply configuration changes and mitigations through infrastructure providers and CDNs where necessary to reduce the exposure to this novel DDoS technique.

首先建议组织在必要时通过基础设施提供商和 CDN 应用配置更改和缓解措施，以减少这种新型 DDoS 技术的暴露。

• Cloudflare: HTTP/2 Rapid Reset: deconstructing the record-breaking attack

• Cloudflare：HTTP/2 快速重置：解构破纪录的攻击

• Google: How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack

• 谷歌：它是如何工作的：新颖的 HTTP/2“快速重置”DDoS 攻击

• AWS: CVE-2023-44487 - HTTP/2 Rapid Reset Attack

• AWS：CVE-2023-44487 - HTTP/2 快速重置攻击

• NGINX: HTTP/2 Rapid Reset Attack Impacting NGINX Products

• NGINX：影响 NGINX 产品的 HTTP/2 快速重置攻击

• Azure: Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

• Azure：Microsoft 对针对 HTTP/2 的分布式拒绝服务 (DDoS) 攻击的响应

Though exposure from this vulnerability can be successfully mitigated via infrastructure providers or cloud load balancers, it is important not to stop there and to take remediation steps at the source by upgrading all packages that may be impacted by this CVE.

尽管可以通过基础设施提供商或云负载均衡器成功缓解此漏洞的风险，但重要的是不要就此止步，而是通过升级可能受此 CVE 影响的所有软件包来从源头采取补救措施。

Upgrading packages to remediated versions

将软件包升级到修复版本

Next, organizations should check if any of their container images or open source ecosystems are impacted and apply updates if available. You can find all the advisories for this specific CVE in the Snyk Vulnerability Database by selecting your package manager(s) or container distro(s).

接下来，组织应该检查其容器映像或开源生态系统是否受到影响，并应用更新（如果有）。您可以通过选择包管理器或容器发行版在 Snyk 漏洞数据库中找到此特定 CVE 的所有建议。

Detecting the HTTP/2 vulnerabilities with Snyk

使用 Snyk 检测 HTTP/2 漏洞

To see if your projects or applications are affected, you can filter by "CVE-2023-44487" in the Issue Detail report to find the projects that contain a package with the vulnerability.

要查看您的项目或应用程序是否受到影响，您可以在问题详细信息报告中按“CVE-2023-44487”进行过滤，以查找包含存在漏洞的包的项目。

Testing your projects using the Snyk CLI

使用 Snyk CLI 测试您的项目

There are various ways to detect and remediate the HTTP/2 vulnerability — for free — using Snyk. Using the Snyk CLI, you can test your projects locally.

使用 Snyk 有多种免费检测和修复 HTTP/2 漏洞的方法。使用 Snyk CLI，您可以在本地测试您的项目。

For applications, run snyk test from the Snyk CLI to compare dependencies in your repository to detect individual packages and their vulnerabilities. You can use the Snyk CLI to test all projects using snyk test --all-projects and you can specify the package manager via the --package-manager= flag with an option to specify a non-standard requirements file via the --file= flag.

对于应用程序，从 Snyk CLI 运行 snyk test 来比较存储库中的依赖项，以检测各个包及其漏洞。您可以使用 Snyk CLI 使用 snyk test --all-projects 测试所有项目，并且可以通过 --package-manager= 标志指定包管理器，并可以选择通过 --file= 标志。

Currently, supported arguments for the --package-manager= flag include cocoapods, composer, golangdep, maven, npm, pip, and more (refer to the CLI for more options).

目前，支持 --package-manager= 标志的参数包括 cocoapods、composer、golangdep、maven、npm、pip 等（有关更多选项，请参阅 CLI）。

For applications, run snyk test --unmanaged from the Snyk CLI to compare unmanaged dependencies in your repository to detect individual packages and their vulnerabilities.

对于应用程序，从 Snyk CLI 运行 snyk test --unmanaged 来比较存储库中的非托管依赖项，以检测各个包及其漏洞。

For containers, run snyk container test to detect operating system packages that depend on vulnerable versions of HTTP/2. For best results, include both the image name and the path to the Dockerfile that created the image, for example:

对于容器，运行 snyk container test 来检测依赖于易受攻击的 HTTP/2 版本的操作系统软件包。为了获得最佳结果，请包含映像名称和创建该映像的 Dockerfile 的路径，例如：

snyk container test debian:10 --file=Dockerfile

Testing your projects using an Git/SCM integration

使用 Git/SCM 集成测试您的项目

Importing your project into Snyk using our supported SCM integrations (GitHub, Bitbucket, GitLab, Azure Repos) will automatically trigger a test, which will enable you to use the Snyk UI to identify, prioritize, and fix the http/2 vulnerabilities in your projects when a fix is available.

使用我们支持的 SCM 集成（GitHub、Bitbucket、GitLab、Azure Repos）将您的项目导入 Snyk 将自动触发测试，这将使您能够使用 Snyk UI 来识别、确定优先级并修复 http/2 当修复可用时，您的项目中存在漏洞。

Fixing the HTTP/2 vulnerabilities

修复 HTTP/2 漏洞

Once you've identified vulnerable packages and containers in your environment, you can remediate with Snyk. The methods are similar, but you've got a couple of options.

一旦识别出环境中存在漏洞的软件包和容器，您就可以使用 Snyk 进行修复。方法相似，但您有几个选择。

For open source components

对于开源组件

• Automatic fix: Connect Snyk to your Git repositories so it can raise pull requests to update your dependency graph where possible, then rebuild your application.
• 自动修复：将 Snyk 连接到您的 Git 存储库，以便它可以提出拉取请求以在可能的情况下更新您的依赖关系图，然后重建您的应用程序。
• Manual fix (option 1): If you have a direct dependency on a component that is impacted by the HTTP/2 vuln, you can upgrade your dependency file to specify the corresponding fix version, then rebuild your application.
• 手动修复（选项 1）：如果您直接依赖于受 HTTP/2 漏洞影响的组件，您可以升级依赖文件以指定相应的修复版本，然后重建应用程序。
• Manual fix (option 2): If your application uses a component impacted by the HTTP/2 vuln as an indirect or transitive dependency, identify a version of your direct dependency that pulls in an updated version of the impacted dependency, then rebuild your application. Alternatively, if overrides are supported by your package manager, you could treat the dependency as direct and include a fixed version in your requirements file.
• 手动修复（选项 2）：如果您的应用程序使用受 HTTP/2 漏洞影响的组件作为间接或传递依赖项，请确定直接依赖项的版本，该版本会拉取受影响依赖项的更新版本，然后重建您的应用程序。或者，如果您的包管理器支持覆盖，您可以将依赖关系视为直接依赖，并在需求文件中包含固定版本。

For container images 对于容器镜像

• Automatic fix: Connect Snyk to your Git repositories so it can raise pull requests to update your Dockerfile base image where possible. Preview if the suggested base image upgrade still carries the vulnerability by using https://snyk.io/test/docker/<image_name> , then rebuild your container once you have identified an acceptable upgrade path.
• 自动修复：将 Snyk 连接到您的 Git 存储库，以便它可以提出拉取请求以在可能的情况下更新您的 Dockerfile 基础映像。使用https://snyk.io/test/docker/<image_name> 预览建议的基础映像升级是否仍然存在漏洞，然后在确定可接受的升级路径后重建容器。

• Manual fix: If your image includes a vulnerable version of the vulnerable packages and a base image upgrade is not available or desired, you can upgrade it yourself using the remediation advice from Snyk Container.
• 手动修复：如果您的映像包含易受攻击的软件包的易受攻击版本，并且基础映像升级不可用或不需要，您可以使用 Snyk Container 的修复建议自行升级。

If a fix is not yet available

如果修复尚不可用

If the option to upgrade a specific package or container is unavailable, this particular vulnerability can be mitigated prior to the call path, as described above. For instance, if a certain service is affected by this vulnerability and is exposed to the internet via a cloud load balancer, it will not be impacted because all major cloud providers have already mitigated this risk at their level.

如果升级特定包或容器的选项不可用，则可以在调用路径之前缓解此特定漏洞，如上所述。例如，如果某个服务受到此漏洞的影响并通过云负载均衡器暴露在互联网上，则该服务不会受到影响，因为所有主要云提供商都已在其级别上缓解了此风险。

How to reprioritize this vulnerability using custom policies?

如何使用自定义策略重新确定此漏洞的优先级？

If you'd like to increase the priority of the HTTP/2 vuln to increase visibility you can leverage Snyk’s custom policies. These can be used to reprioritize these vulnerabilities. The CVE has been assigned a value of High currently, however, if customers want to change that priority, they can create a policy that impacts CVE-2023-44487 to change the severity to Critical.

如果您想提高 HTTP/2 漏洞的优先级以提高可见性，您可以利用 Snyk 的自定义策略。这些可用于重新确定这些漏洞的优先级。目前，CVE 已分配为“高”值，但是，如果客户想要更改该优先级，他们可以创建影响 CVE-2023-44487 的策略，将严重性更改为 Critical 。

Alternatively, if they have mitigated the risk in other ways, they can change the severity to Low to accurately reflect in their reports.

或者，如果他们通过其他方式降低了风险，他们可以将严重性更改为“低”，以准确反映在报告中。

Re-test after adding custom severity policies

添加自定义严重性策略后重新测试

After adding a custom severity policy, projects must be retested for the changed severities to repopulate.

添加自定义严重性策略后，必须重新测试项目以重新填充更改的严重性。

Next steps in responding to the HTTP/2 vulnerabilities

响应 HTTP/2 漏洞的后续步骤

1. Apply configuration changes and mitigations through infrastructure providers and CDNs to reduce the exposure to this novel DDoS technique.
   通过基础设施提供商和 CDN 应用配置更改和缓解措施，以减少这种新型 DDoS 技术的暴露。
2. Test your projects with Snyk using the methods outlined in this article. To get started, sign up for a free Snyk account, then import and scan all potentially impacted projects using the import wizard.
   使用本文中概述的方法通过 Snyk 测试您的项目。首先，注册一个免费的 Snyk 帐户，然后使用导入向导导入并扫描所有可能受影响的项目。
3. When available, apply fixes by updating impacted libraries to fix versions, and build new container images with fixed base images.
   如果可用，通过更新受影响的库来修复版本来应用修复，并使用固定的基础映像构建新的容器映像。

原文始发于微信公众号（Eonian Sharp）：[YA-21] 查找并修复 HTTP/2 快速重置零日漏洞 CVE-2023-44487