Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #10679 - Review HTTP/2 rate control (CVE-2023-44487) #10680

Merged
merged 1 commit into from
Oct 9, 2023

Conversation

sbordet
Copy link
Contributor

@sbordet sbordet commented Oct 9, 2023

Addresses CVE-2023-44487 - (in case github/advisory-database#2869 isn't fixed, use top level link https://nvd.nist.gov/vuln/detail/CVE-2023-44487)

  • Bumped the rate control rate from 50 events/s to 128.
  • Added rate control for all CONTINUATION frames.
  • Added rate control for invalid PUSH_PROMISE frames.
  • Added rate control for RST_STREAM frames.
  • Added rate control for all SETTINGS frames.
  • Fixed growth of header block accumulation buffer.

* Bumped the rate control rate from 50 events/s to 128.
* Added rate control for all CONTINUATION frames.
* Added rate control for invalid PUSH_PROMISE frames.
* Added rate control for RST_STREAM frames.
* Added rate control for all SETTINGS frames.
* Fixed growth of header block accumulation buffer.

Signed-off-by: Simone Bordet <[email protected]>
@sbordet sbordet linked an issue Oct 9, 2023 that may be closed by this pull request
@sbordet sbordet requested a review from joakime October 9, 2023 11:00
@joakime joakime merged commit 2a512c2 into jetty-9.4.x Oct 9, 2023
@joakime joakime deleted the fix/jetty-9.4-10679-review-http2-rate-control branch October 9, 2023 12:13
@joakime joakime changed the title Fixes #10679 - Review HTTP/2 rate control. Fixes #10679 - Review HTTP/2 rate control (CVE-2023-44487) Oct 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Allow HTTP/2 rate control to mitigate HTTP/2 floods (CVE-2023-44487)
3 participants