Executive summary
A major security vulnerability has been discovered in the HTTP/2 Protocol that can allow attackers to prevent websites from serving content. Rapid Reset does not allow an attacker to steal data or make changes to a system, only to prevent it from serving clients. No Lucidworks products are vulnerable to CVE-2023-44487 in their default configurations.
Response matrix
| Product | Version | Vulnerable to CVE? |
| Fusion | 5.x | No (in default configuration) |
| Fusion | 4.x | No |
| Managed Fusion | All | No |
| App Studio | All | No (in default configuration) |
| Attivio | 5.x and 4.x | No |
Technical summary
Per NIST, CVE-2023-44487, hereafter "Rapid Reset", is a vulnerability in the HTTP/2 protocol. "The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023." (https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
No mitigation required for Fusion 5.x in default configuration
Fusion 5.x is not vulnerable to Rapid Reset in its default configuration. The only service exposed externally by default is api-gateway, which ships with HTTP/2 disabled by default. No other services are exposed directly or take HTTP/2 connections from the outside. Our documentation recommends setting up Kubernetes ingress to control access to the api-gateway. As long as ingress or cloud perimeter resources are set up correctly, no services that use HTTP/2 by default are accessible from wider Internet and it is not possible to perform a Rapid Reset attack on Fusion 5.x.
Note that it is possible to turn on HTTP/2 for the api-gateway, even though it is off by default. If you have done this, you will need to either turn HTTP/2 off (and use HTTP/1) or use something else between the api-gateway and the wider Internet to filter traffic or else the system will be vulnerable to Rapid Reset.
No mitigation required for Fusion 4.x
Fusion 4.x is not vulnerable to Rapid Reset. No Fusion 4.x services exposed outside of the local intranet use HTTP/2.
No mitigation required for Managed Fusion
Managed Fusion is not vulnerable to Rapid Reset. Managed Fusion uses GCP and Nginx for web services and is not vulnerable due to the protections that were implemented by Google and Nginx.
No mitigation required for App Studio in default configuration
App Studio is not vulnerable to Rapid Reset in its default configuration. Our documentation recommends using Apache Tomcat to host App Studio, which uses HTTP/1 by default.
Note that it is possible to turn on HTTP/2 for Tomcat, even though it is off by default. If you have done this, you will need to either turn HTTP/2 off (and use HTTP/1) or use something else between the Tomcat and the wider Internet to filter traffic or else the system will be vulnerable to Rapid Reset.
No mitigation required for Attivio in default configuration
Attivio is not vulnerable to Rapid Reset. No component of Attivio uses HTTP/2.
Some configurations host the end-user UI, SUIT, using Apache Tomcat, which by default uses HTTP/1. Note that it is possible to turn on HTTP/2 for Tomcat, even though it is off by default. If you have done this, you will need to either turn HTTP/2 off (and use HTTP/1) or use something else between the Tomcat and the wider Internet to filter traffic or else the system will be vulnerable to Rapid Reset.