[TT-10384] Is Tyk (gateway) affected by CVE-2023-44487 ?

[martin-neotech]

Versions of Tyk: 4.x and 5.x

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

https://www.cve.org/CVERecord?id=CVE-2023-44487

Is Tyk (gateway) affected by this ?

Is there any configurations for the self hosted that should be considered ?

Thanks

[martin-neotech]

golang/go#63417

[andyo-tyk]

Hi @martin-neotech,

Sorry for the delay getting back to you on this.

Docker Scout assessment of the Tyk binaries suggests that the 4-LTS and 5-LTS versions are not affected, as they use versions of Go where HTTP/2 support has to be manually enabled. Within Tyk we have a Gateway configuration option (enable_http2) that enables HTTP/2. We advise that you disable this to mitigate the impact of CVE-2023-44487.

We are working on a solution for latest feature branch of Tyk (5.2.x) as this uses a newer version of Go where HTTP/2 is enabled by default.

[andyo-tyk]

Hi @martin-neotech

Tyk has a configuration option to disable HTTP/2 - this will mitigate the risk of this vulnerability in all current versions of Tyk, though of course there might be a performance impact from use of HTTP/1.1 rather than HTTP/2.

The config flag is: http_server_options.enable_http2
You can also use the environment variable: TYK_GW_HTTPSERVEROPTIONS_ENABLEHTTP2

We recommend that you set this to false to restrict Tyk to using HTTP/1.1, avoiding the DoS risk.

The vulnerability lies within the core Golang stdlib package used by Tyk; we are working on upgrading this in the latest Tyk feature branch (5.2.x) but at present a Go upgrade is out-of-scope for the LTS version (5.0.x).