HTTP/2 Rapid Reset : CVE-2023-44487

[extremeshok]

Is caddy patched or vulnerable to the attack.

See : CVE-2023-44487

https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

[kiwixz]

I am pretty sure caddy has no rate-limiting built in, so it's not affected by this.

[bt90]

This is a vulnerability in the HTTP/2 protocol that is being targeted by DDoS attacks. I don't see what this has to do with a rate-limiting feature. The only thing related to rate limiting seems to me to be the migitation strategy.

The real question is at what layer this needs to be addressed. Do we need to wait for a fix in x/net/http2, or is this something that caddy needs to implement itself?

Response of nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

Apache's migitation strategy: https://chaos.social/@icing/111210915918780532

[mohammed90]

Do we need to wait for a fix in x/net/http2

I think yes. I'm trying to keep an eye on Go's announcements to see what they'll say. The vuln and mitigation layer is below Caddy's scope.

[piroux]

FWIW, Go 1.21.3 is planned for release today, but mainly to fix an "unrelated" security vuln.

So far, there is no mention of CVE-2023-44487 in the Go repo on Github.

Do we need to wait for a fix in x/net/http2

Well it seems that grpc-go has been working on a fix already , that might be worth taking a look.

[neild]

Go 1.21.3 will be out shortly, with a mitigation for Rapid Reset. An update to x/net/http2 will follow shortly after. More details will be in the release announcement.

[mohammed90]

Go 1.21.3 will be out shortly, with a mitigation for Rapid Reset. An update to x/net/http2 will follow shortly after. More details will be in the release announcement.

Glad to hear! Thank you

[piroux]

The fix for CVE-2023-44487 has been merged: https://github.com/golang/go/issues/63417

And Go 1.21.3 has been released: https://github.com/golang/go/releases/tag/go1.21.3 :tada:

[mholt]

The build server was updated a few minutes ago so running caddy upgrade will patch you. We'll issue a new release in a little while.

Thank you @neild for the attention and the quick fix!

[chris-short]

Great work all, thank you

[adrenalinmike]

Great , thank you

[danpoltawski]

We'll issue a new release in a little while.

I'm assuming 2.6.x versions and below will remain vulnerable, or will a rebuild happen against that line?

[francislavoie]

Yeah, we don't currently have the resources or bandwidth to support older versions currently. If it's absolutely necessary for you to stay behind for some particular reason, then consider a sponsorship to get prioritized support. Otherwise, we always recommend to run the latest version of Caddy.

We'll cut a 2.7.5 release as soon as possible. @mholt is currently tied up with some very important personal things so it'll be as soon as he can sit down to tag the release etc.

[danpoltawski]

Just in case its helpful to anyone else, it looks like the docker image tag 2.7.4 has been rebuilt, but the 2.7.4-alpine hasn't - so we'll wait for the new release to be cut 😄

[francislavoie]

Building with Go 1.21.3 alone isn't enough, it also needs the dependency update from https://github.com/caddyserver/caddy/commit/88b4fbf2444481a68af3ce86843cf6e3bb84c136 for x/net

[mholt]

Sorry, yeah, been dealing with hospital stuff lately. Will be trying to work on this today though.

[francislavoie]

Release is out: https://github.com/caddyserver/caddy/releases/tag/v2.7.5