Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol
No violationsstackroxhighbuilddeployAlert on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers.
- Rationale
- This is a flaw in the handling of multiplexed streams in http/2. A client can rapidly create a request and immediately reset them, which creates extra work for the server while avoiding hitting any server-side limits, resulting in a denial of service attack.
- Remediation
- Upgrade vulnerable components or images to the latest version.
CategoriesVulnerability Management
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.4(c)
- ISO/IEC 27001 2022
- A.8.8
- NIST SP 800-53 rev. 5
- RA-5
- PCI DSS 4.0
- 6.3.1
- SOC 2 2017 TSC
- CC7.1
Generated artifacts
1 of 5 targets supportedrapid-reset-denial-of-service-vulnerability-in-http-2-protocol.rego
# Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol (trivy)
# severity: high
# source: stackrox/db79755e-6e03-40f5-b914-b0bee9e1c20b
package trivy.rapid_reset_denial_of_service_vulnerability_in_http_2_protocol
deny[msg] {
# rule 1
some v
v := input.Vulnerabilities[_]
v.VulnerabilityID == {"CVE-2023-44487", "CVE-2023-39325"}[_]
some v
v := input.Vulnerabilities[_]
v.Severity == {">=IMPORTANT"}[_]
msg := "[high] Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol: Alert on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers."
}
IR (canonical)
{
"id": "db79755e-6e03-40f5-b914-b0bee9e1c20b",
"name": "Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol",
"description": "Alert on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers.",
"rationale": "This is a flaw in the handling of multiplexed streams in http/2. A client can rapidly create a request and immediately reset them, which creates extra work for the server while avoiding hitting any server-side limits, resulting in a denial of service attack.",
"remediation": "Upgrade vulnerable components or images to the latest version.",
"severity": "high",
"categories": [
"Vulnerability Management"
],
"lifecycle": [
"build",
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "and",
"children": [
{
"op": "criterion",
"field": "cve",
"values": [
"CVE-2023-44487",
"CVE-2023-39325"
],
"valuesOp": "or",
"negate": false
},
{
"op": "criterion",
"field": "severity",
"values": [
">=IMPORTANT"
],
"valuesOp": "or",
"negate": false
}
]
},
"disabled": true
}Original StackRox JSON
{
"id": "db79755e-6e03-40f5-b914-b0bee9e1c20b",
"name": "Rapid Reset: Denial of Service Vulnerability in HTTP/2 Protocol",
"description": "Alert on deployments with images containing components that are susceptible to a Denial of Service (DoS) vulnerability for HTTP/2 servers.",
"rationale": "This is a flaw in the handling of multiplexed streams in http/2. A client can rapidly create a request and immediately reset them, which creates extra work for the server while avoiding hitting any server-side limits, resulting in a denial of service attack.",
"remediation": "Upgrade vulnerable components or images to the latest version.",
"disabled": true,
"categories": [
"Vulnerability Management"
],
"lifecycleStages": [
"BUILD",
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "HIGH_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "CVE",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "CVE-2023-44487"
},
{
"value": "CVE-2023-39325"
}
]
},
{
"fieldName": "Severity",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": ">=IMPORTANT"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}