io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack
Package
Affected versions
< 4.1.100.Final
Patched versions
4.1.100.Final
Description
Published to the GitHub Advisory Database
Oct 10, 2023
Reviewed
Oct 10, 2023
Last updated
Nov 6, 2023
A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack.
Impact
This is a DDOS attack, any http2 server is affected and so you should update as soon as possible.
Patches
This is patched in version 4.1.100.Final.
Workarounds
A user can limit the amount of RST frames that are accepted per connection over a timeframe manually using either an own
Http2FrameListener
implementation or anChannelInboundHandler
implementation (depending which http2 API is used).References
References