Skip to main content
Sign in

HTTP/2 Rapid Reset Attack vulnerability: CVE-2023-44487

  • Updated

Executive Summary

No Lucidworks products are vulnerable to CVE-2023-44487 ("Rapid Reset") in their default configurations.

 

Response Matrix

Product Version Vulnerable to CVE?
Fusion 5.x No (in default configuration)
Fusion 4.x No
Managed Fusion All No
App Studio All No (in default configuration)
Attivio 5.x and 4.x No

 

About CVE-2023-44487 ("Rapid Reset")

CVE-2023-44487, hereafter "Rapid Reset", is a vulnerability in the HTTP/2 protocol.  It was exploited starting in August 2023 and details were publicly revealed on October 10, 2023.  It is rated 7.5 (High) by NIST as it allows a DDoS attack to knock vulnerable systems offline, but requires the application to both use HTTP/2 and allow uncontrolled access on the wider Internet to exploit.  Rapid Reset does not allow an attacker to steal data or make changes to a system, only to prevent it from serving clients.

 

Fusion 5.x

Fusion 5.x is not vulnerable to Rapid Reset in its default configuration.  The only service exposed externally by default is api-gateway, which ships with HTTP/2 disabled by default.  No other services are exposed directly or take HTTP/2 connections from the outside.  Our documentation recommends setting up Kubernetes ingress to control access to the api-gateway.  As long as ingress or cloud perimeter resources are set up correctly, no services that use HTTP/2 by default are accessible from wider Internet and it is not possible to perform a Rapid Reset attack on Fusion 5.x.

Note that it is possible to turn on HTTP/2 for the api-gateway, even though it is off by default.  If you have done this, you will need to either turn HTTP/2 off (and use HTTP/1) or use something else between the api-gateway and the wider Internet to filter traffic or else the system will be vulnerable to Rapid Reset.

 

Fusion 4.x

Fusion 4.x is not vulnerable to Rapid Reset.  No Fusion 4.x services exposed outside of the local intranet use HTTP/2.

 

Managed Fusion

Managed Fusion is not vulnerable to Rapid Reset.  Managed Fusion uses GCP and Nginx for web services and is not vulnerable due to the protections that were implemented by Google and Nginx.

 

App Studio

App Studio is not vulnerable to Rapid Reset in its default configuration.  Our documentation recommends using Apache Tomcat to host App Studio, which uses HTTP/1 by default. 

Note that it is possible to turn on HTTP/2 for Tomcat, even though it is off by default.  If you have done this, you will need to either turn HTTP/2 off (and use HTTP/1) or use something else between the Tomcat and the wider Internet to filter traffic or else the system will be vulnerable to Rapid Reset.

 

Attivio

Attivio is not vulnerable to Rapid Reset.  No component of Attivio uses HTTP/2.

Some configurations host the end-user UI, SUIT, using Apache Tomcat, which by default uses HTTP/1.  Note that it is possible to turn on HTTP/2 for Tomcat, even though it is off by default.  If you have done this, you will need to either turn HTTP/2 off (and use HTTP/1) or use something else between the Tomcat and the wider Internet to filter traffic or else the system will be vulnerable to Rapid Reset.

 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk