Introducing Akka Cloud to Edge Continuum. Build once for the Cloud. Seamlessly deploy to the Edge. Learn More
 

Akka HTTP rapid reset denial of service

Date

2023-10-16

CVE

CVE-2023-44487

Description of Vulnerability

A widespread HTTP/2 server vulnerability where a client issues rapid HTTP/2 reset frames and thereby sidesteps the protection against unlimited resource consumption built into the protocol.

Severity

The CVSS score of this vulnerability is 7.5, based on vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Impact

The quick sequence of requests can possibly trigger of expensive requests on the server, depending on the application logic built on top of Akka HTTP/2, at a low cost for the abusing client, allowing for denial of service attacks.

Akka HTTP/2 servers running behind a proxy are likely protected by the proxy, given that it has protective measurements against this vulnerability.

Resolution

Starting from Akka HTTP 10.5.3 a reset frame rate limit is present in the HTTP/2 server. The rate limit is configurable through settings akka.http.server.http2.max-resets and akka.http.server.http2.max-resets-interval with a default limit of 400 resets per 10s and connection. Once a connection hits the limit it is closed.

Affected versions

Fixed versions

References

https://nvd.nist.gov/vuln/detail/CVE-2023-44487