Do you know your level of risk?
A recent security vulnerability has potential impact for systems employing HTTP/2: CVE-2023-44487, also known as HTTP/2 Rapid Reset Attack. If exploited, it can allow threat actors to launch denial of service (DoS) attacks on a number of systems employing HTTP/2.
Let’s take look at the basics of CVE-2023-44487, the vulnerability’s potential real-world impact, and measures companies using an affected product version can employ to mitigate it as the story surrounding the threat unfolds.
CVE-2023-44487: IBM products potentially vulnerable
Any program that communicates in HTTP potentially can be in scope for CVE-2023-44487. For IBM customers who have enabled the vulnerable component, HTTP/2, the security flaw might be present in numerous products and associated IBM® software versions, including:
- IBM® WebSphere Application Server (WAS)
- IBM® Business Process Manager (BPM)
- IBM® Operational Decision Manager (ODM)
- IBM® API Connect
- IBM® Tivoli Provisioning Manager
- IBM® Cognos
As with any potential vulnerability, your company must carefully consider its response based on the unique circumstances of its technology estate if there is concern HTTP/2 Rapid Reset Attack might pose a threat.
Where’s the OEM help for CVE-2023-44487?
As with other DoS vulnerabilities, CVE-2023-44487 hinges on the attacker making multiple bad-faith requests to a webserver to illegitimately waste resources. This, in turn, creates slowdowns, outages, and other less predictable issues. In the past, DoS attacks have been initiated as a means of retribution for perceived corporate or political misbehavior, as a smokescreen to hide penetrative cybercrime activity, or simply because threat actors saw an exploitable flaw was present.
The attack was designated on October 10 of this year, and OEM response has been varied. While some large-scale B2B technology vendors have spoken directly about the flaw, offered temporary workarounds customers can initiate themselves, and made at least indirect reference to pending official patch releases, others have failed to even recognize it.
For software users concerned about high CPU usage due to billing or contextual performance concerns, a DoS attack that targets the CPU via HTTP/2 like this CVE could be especially concerning, depending on the terms of the arrangement and the specifics of the infrastructure. HTTP/2 allows attackers to push multiple false requests through at once but cancel them all with a single frame.
As is often the case with DoS attacks, unauthenticated users can initiate the activity, increasing the potential for a high-usage attack that puts a large dent in the IT budget on top of undesirable technical outcomes; billing arrangements that put ultimate financial responsibility on the buyer in the event of an attack aren’t uncommon in B2B software, meaning there might be little recourse if a hefty invoice hits your inbox or an OEM audit occurs.
Following that, it’s important to remember the outcomes of DoS attacks don’t always stop once you’ve found a way to deflect the waves of false requests. Persistent hang-on effects – think a DoS-inflated database table that goes unnoticed for months following the attack but continues to chew up CPU usage or storage – can contribute to performance and billing problems in insidious and hard-to-spot ways.
Fortunately, a patch isn’t always necessary to take HTTP/2 Rapid Reset Attack out of your estate. Whether your software is currently under a support agreement with an OEM or not, you can take steps to reduce or mitigate the impact of false stream requests that might otherwise create trouble within your webservers. A layered approach to software security is often best and is not OEM-dependent.
Fortunately, a patch isn’t always necessary to take HTTP/2 Rapid Reset Attack out of your estate.
The contextual approach to CVE-2023-44487
With an emerging NIST 7.5-severity threat, a qualified independent third-party software maintenance (TPSM) provider can prove to be a valuable partner. Reach out to Origina to find out more about what mitigating actions you can take and how to understand your level of risk with this latest vulnerability, including mitigating steps that deflect requests without forcing software users to update to a new version or wait on a patch to drop.