This repo is the official home of .NET on GitHub. It's a great starting point to find many .NET OSS projects from Microsoft and the community, including many that are part of the .NET Foundation.
Our DependencyCheck reported the vulnerability CVE-2023-44487 for some of our components. Obviously, a lot of HTTP/2-related components are affected.
Also, Microsoft describes in "MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack" some instructions on how to proceed for some of their components. AFAIU these instructions target web servers, like Kestrel (and IIS?).
But it's not clear to me, whether a .NET FW self-hosted WebApi is also vulnerable and needs some reaction. At least the described workarounds didn't deactivate the HTTP/2 support. On the other side, maybe it's fine to apply the OS patches only to be safe.
All together I'm lost so far. These are my questions summarized:
Does the vulnerability affect .NET FW self-hosted WebApi?
If yes:
Does the OS patching mitigate this issue?
Any configuration options possible to deactivate HTTTP/2 in our scenario?
Our DependencyCheck reported the vulnerability CVE-2023-44487 for some of our components. Obviously, a lot of HTTP/2-related components are affected. Also, Microsoft describes in "MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack" some instructions on how to proceed for some of their components. AFAIU these instructions target web servers, like Kestrel (and IIS?).
But it's not clear to me, whether a .NET FW self-hosted WebApi is also vulnerable and needs some reaction. At least the described workarounds didn't deactivate the HTTP/2 support. On the other side, maybe it's fine to apply the OS patches only to be safe.
All together I'm lost so far. These are my questions summarized: