First published: Mon Oct 09 2023(Updated: )
## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows. ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft Windows 11 | =21H2 | |
Microsoft Windows 11 | =21H2 | |
Microsoft Windows Server 2022 | ||
Microsoft Windows Server 2022 | ||
Microsoft Windows 11 | =22H2 | |
Microsoft Windows 11 | =22H2 | |
Microsoft Windows Server 2019 | ||
Microsoft Windows Server 2019 | ||
Microsoft Windows 10 | =21H2 | |
Microsoft Windows 10 | =21H2 | |
Microsoft Windows 10 | =21H2 | |
Microsoft Windows 10 | =22H2 | |
Microsoft Windows 10 | =1809 | |
Microsoft Windows 10 | =1607 | |
Microsoft Windows 10 | =1607 | |
Microsoft Windows 10 | =1809 | |
Microsoft Windows 10 | =22H2 | |
Microsoft Windows 10 | =22H2 | |
Microsoft Windows 10 | =1809 | |
debian/netty | <=1:4.1.48-7<=1:4.1.48-4 | 1:4.1.48-8 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 |
IETF HTTP/2 | ||
Microsoft ASP.NET Core | =7.0 | |
Microsoft .NET 6.0 | ||
Microsoft ASP.NET Core | =6.0 | |
Microsoft Visual Studio 2022 | =17.6 | |
Microsoft Visual Studio 2022 | =17.2 | |
Microsoft Visual Studio 2022 | =17.7 | |
Microsoft ASP.NET Core | =2.0 | |
Nghttp2 Nghttp2 | <1.57.0 | |
Netty Netty | <4.1.100 | |
Envoyproxy Envoy | =1.24.10 | |
Envoyproxy Envoy | =1.25.9 | |
Envoyproxy Envoy | =1.26.4 | |
Envoyproxy Envoy | =1.27.0 | |
Eclipse Jetty | <9.4.53 | |
Eclipse Jetty | >=10.0.0<10.0.17 | |
Eclipse Jetty | >=11.0.0<11.0.17 | |
Eclipse Jetty | >=12.0.0<12.0.2 | |
Microsoft ASP.NET Core | <2.7.5 | |
Golang Go | <1.20.10 | |
Golang Go | >=1.21.0<1.21.3 | |
Golang Http2 | <0.17.0 | |
Golang Networking | <0.17.0 | |
F5 BIG-IP Access Policy Manager | >=13.1.0<=13.1.5 | |
F5 BIG-IP Access Policy Manager | >=14.1.0<=14.1.5 | |
F5 BIG-IP Access Policy Manager | >=15.1.0<=15.1.10 | |
F5 BIG-IP Access Policy Manager | >=16.1.0<=16.1.4 | |
F5 BIG-IP Access Policy Manager | =17.1.0 | |
F5 BIG-IP Advanced Firewall Manager | >=13.1.0<=13.1.5 | |
F5 BIG-IP Advanced Firewall Manager | >=14.1.0<=14.1.5 | |
F5 BIG-IP Advanced Firewall Manager | >=15.1.0<=15.1.10 | |
F5 BIG-IP Advanced Firewall Manager | >=16.1.0<=16.1.4 | |
F5 BIG-IP Advanced Firewall Manager | =17.1.0 | |
F5 Big-ip Advanced Web Application Firewall | >=13.1.0<=13.1.5 | |
F5 Big-ip Advanced Web Application Firewall | >=14.1.0<=14.1.5 | |
F5 Big-ip Advanced Web Application Firewall | >=15.1.0<=15.1.10 | |
F5 Big-ip Advanced Web Application Firewall | >=16.1.0<=16.1.4 | |
F5 Big-ip Advanced Web Application Firewall | =17.1.0 | |
F5 BIG-IP Analytics | >=13.1.0<=13.1.5 | |
F5 BIG-IP Analytics | >=14.1.0<=14.1.5 | |
F5 BIG-IP Analytics | >=15.1.0<=15.1.10 | |
F5 BIG-IP Analytics | >=16.1.0<=16.1.4 | |
F5 BIG-IP Analytics | =17.1.0 | |
F5 Big-ip Application Acceleration Manager | >=13.1.0<=13.1.5 | |
F5 Big-ip Application Acceleration Manager | >=14.1.0<=14.1.5 | |
F5 Big-ip Application Acceleration Manager | >=15.1.0<=15.1.10 | |
F5 Big-ip Application Acceleration Manager | >=16.1.0<=16.1.4 | |
F5 Big-ip Application Acceleration Manager | =17.1.0 | |
F5 BIG-IP Application Security Manager | >=13.1.0<=13.1.5 | |
F5 BIG-IP Application Security Manager | >=14.1.0<=14.1.5 | |
F5 BIG-IP Application Security Manager | >=15.1.0<=15.1.10 | |
F5 BIG-IP Application Security Manager | >=16.1.0<=16.1.4 | |
F5 BIG-IP Application Security Manager | =17.1.0 | |
F5 Big-ip Application Visibility And Reporting | >=13.1.0<=13.1.5 | |
F5 Big-ip Application Visibility And Reporting | >=14.1.0<=14.1.5 | |
F5 Big-ip Application Visibility And Reporting | >=15.1.0<=15.1.10 | |
F5 Big-ip Application Visibility And Reporting | >=16.1.0<=16.1.4 | |
F5 Big-ip Application Visibility And Reporting | =17.1.0 | |
F5 Big-ip Carrier-grade Nat | >=13.1.0<=13.1.5 | |
F5 Big-ip Carrier-grade Nat | >=14.1.0<=14.1.5 | |
F5 Big-ip Carrier-grade Nat | >=15.1.0<=15.1.10 | |
F5 Big-ip Carrier-grade Nat | >=16.1.0<=16.1.4 | |
F5 Big-ip Carrier-grade Nat | =17.1.0 | |
F5 Big-ip Ddos Hybrid Defender | >=13.1.0<=13.1.5 | |
F5 Big-ip Ddos Hybrid Defender | >=14.1.0<=14.1.5 | |
F5 Big-ip Ddos Hybrid Defender | >=15.1.0<=15.1.10 | |
F5 Big-ip Ddos Hybrid Defender | >=16.1.0<=16.1.4 | |
F5 Big-ip Ddos Hybrid Defender | =17.1.0 | |
F5 Big-ip Domain Name System | >=13.1.0<=13.1.5 | |
F5 Big-ip Domain Name System | >=14.1.0<=14.1.5 | |
F5 Big-ip Domain Name System | >=15.1.0<=15.1.10 | |
F5 Big-ip Domain Name System | >=16.1.0<=16.1.4 | |
F5 Big-ip Domain Name System | =17.1.0 | |
F5 Big-ip Fraud Protection Service | >=13.1.0<=13.1.5 | |
F5 Big-ip Fraud Protection Service | >=14.1.0<=14.1.5 | |
F5 Big-ip Fraud Protection Service | >=15.1.0<=15.1.10 | |
F5 Big-ip Fraud Protection Service | >=16.1.0<=16.1.4 | |
F5 Big-ip Fraud Protection Service | =17.1.0 | |
F5 Big-ip Global Traffic Manager | >=13.1.0<=13.1.5 | |
F5 Big-ip Global Traffic Manager | >=14.1.0<=14.1.5 | |
F5 Big-ip Global Traffic Manager | >=15.1.0<=15.1.10 | |
F5 Big-ip Global Traffic Manager | >=16.1.0<=16.1.4 | |
F5 Big-ip Global Traffic Manager | =17.1.0 | |
F5 Big-ip Link Controller | >=13.1.0<=13.1.5 | |
F5 Big-ip Link Controller | >=14.1.0<=14.1.5 | |
F5 Big-ip Link Controller | >=15.1.0<=15.1.10 | |
F5 Big-ip Link Controller | >=16.1.0<=16.1.4 | |
F5 Big-ip Link Controller | =17.1.0 | |
F5 Big-ip Local Traffic Manager | >=13.1.0<=13.1.5 | |
F5 Big-ip Local Traffic Manager | >=14.1.0<=14.1.5 | |
F5 Big-ip Local Traffic Manager | >=15.1.0<=15.1.10 | |
F5 Big-ip Local Traffic Manager | >=16.1.0<=16.1.4 | |
F5 Big-ip Local Traffic Manager | =17.1.0 | |
Microsoft .NET 7.0 | =20.0.1 | |
F5 Big-ip Next Service Proxy For Kubernetes | >=1.5.0<=1.8.2 | |
F5 Big-ip Policy Enforcement Manager | >=13.1.0<=13.1.5 | |
F5 Big-ip Policy Enforcement Manager | >=14.1.0<=14.1.5 | |
F5 Big-ip Policy Enforcement Manager | >=15.1.0<=15.1.10 | |
F5 Big-ip Policy Enforcement Manager | >=16.1.0<=16.1.4 | |
F5 Big-ip Policy Enforcement Manager | =17.1.0 | |
F5 Big-ip Ssl Orchestrator | >=13.1.0<=13.1.5 | |
F5 Big-ip Ssl Orchestrator | >=14.1.0<=14.1.5 | |
F5 Big-ip Ssl Orchestrator | >=15.1.0<=15.1.10 | |
F5 Big-ip Ssl Orchestrator | >=16.1.0<=16.1.4 | |
F5 Big-ip Ssl Orchestrator | =17.1.0 | |
F5 Big-ip Webaccelerator | >=13.1.0<=13.1.5 | |
F5 Big-ip Webaccelerator | >=14.1.0<=14.1.5 | |
F5 Big-ip Webaccelerator | >=15.1.0<=15.1.10 | |
F5 Big-ip Webaccelerator | >=16.1.0<=16.1.4 | |
F5 Big-ip Webaccelerator | =17.1.0 | |
F5 Big-ip Websafe | >=13.1.0<=13.1.5 | |
F5 Big-ip Websafe | >=14.1.0<=14.1.5 | |
F5 Big-ip Websafe | >=15.1.0<=15.1.10 | |
F5 Big-ip Websafe | >=16.1.0<=16.1.4 | |
F5 Big-ip Websafe | =17.1.0 | |
F5 Nginx | >=1.9.5<=1.25.2 | |
Microsoft .NET 7.0 | >=2.0.0<=2.4.2 | |
Microsoft .NET 7.0 | >=3.0.0<=3.3.0 | |
Microsoft .NET 6.0 | >=r25<r29 | |
Microsoft .NET 6.0 | =r29 | |
Microsoft .NET 6.0 | =r30 | |
Apache Tomcat | >=8.5.0<=8.5.93 | |
Apache Tomcat | >=9.0.0<=9.0.80 | |
Apache Tomcat | >=10.1.0<=10.1.13 | |
Apache Tomcat | =11.0.0-milestone1 | |
Apache Tomcat | =11.0.0-milestone10 | |
Apache Tomcat | =11.0.0-milestone11 | |
Apache Tomcat | =11.0.0-milestone2 | |
Apache Tomcat | =11.0.0-milestone3 | |
Apache Tomcat | =11.0.0-milestone4 | |
Apache Tomcat | =11.0.0-milestone5 | |
Apache Tomcat | =11.0.0-milestone6 | |
Apache Tomcat | =11.0.0-milestone7 | |
Apache Tomcat | =11.0.0-milestone8 | |
Apache Tomcat | =11.0.0-milestone9 | |
IETF HTTP/2 | <1.28.0 | |
Microsoft .NET 6.0 | <1.56.3 | |
Microsoft .NET 6.0 | >=1.58.0<1.58.3 | |
Microsoft .NET 6.0 | =1.57.0 | |
Microsoft .NET | >=6.0.0<6.0.23 | |
Microsoft .NET | >=7.0.0<7.0.12 | |
Microsoft ASP.NET Core | >=6.0.0<6.0.23 | |
Microsoft ASP.NET Core | >=7.0.0<7.0.12 | |
Microsoft Azure Kubernetes Service | <2023-10-08 | |
Microsoft Visual Studio 2022 | >=17.0<17.2.20 | |
Microsoft Visual Studio 2022 | >=17.4<17.4.12 | |
Microsoft Visual Studio 2022 | >=17.6<17.6.8 | |
Microsoft Visual Studio 2022 | >=17.7<17.7.5 | |
Microsoft Windows Server 2016 | <10.0.14393.6351 | |
Microsoft Windows Server 2016 | <10.0.14393.6351 | |
Microsoft Windows Server 2016 | <10.0.17763.4974 | |
Microsoft Windows Server 2019 | <10.0.19044.3570 | |
Microsoft Windows 10 22h2 | <10.0.19045.3570 | |
Microsoft Windows 11 21h2 | <10.0.22000.2538 | |
Microsoft Windows 11 | <10.0.22621.2428 | |
Microsoft Windows Server 2016 | ||
Microsoft Windows Server 2019 | ||
Microsoft Windows Server 2022 | ||
Nodejs Node.js | <21.0.0 | |
Microsoft Visual Studio 2022 | <2023-10-11 | |
Microsoft Windows Server 2022 | <2023-10-10 | |
Microsoft Windows Server 2022 | <2023.10.16.00 | |
Apache APISIX | <3.6.1 | |
Apache Traffic Server | >=8.0.0<8.1.9 | |
Apache Traffic Server | >=9.0.0<9.2.3 | |
Microsoft Windows Server 2019 | <2.5.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 | |
Debian Debian Linux | =12.0 | |
Microsoft Windows 11 | <4.2.2 | |
Microsoft Windows Server 2022 | <1.17.6 | |
Microsoft Windows Server 2022 | >=1.18.0<1.18.3 | |
Microsoft Windows Server 2022 | >=1.19.0<1.19.1 | |
Microsoft .NET 6.0 | <2023-10-10 | |
Microsoft Visual Studio 2022 | <2.10.5 | |
Microsoft Visual Studio 2022 | =3.0.0-beta1 | |
Microsoft Visual Studio 2022 | =3.0.0-beta2 | |
Microsoft Visual Studio 2022 | =3.0.0-beta3 | |
Microsoft .NET 7.0 | <2023-10-11 | |
Microsoft Visual Studio 2022 | >=2.12.0<=2.12.5 | |
Microsoft Visual Studio 2022 | =2.13.0 | |
Microsoft Visual Studio 2022 | =2.13.1 | |
Microsoft Visual Studio 2022 | =2.14.0 | |
Microsoft Visual Studio 2022 | =2.14.1 | |
Linecorp Armeria | <1.26.0 | |
Microsoft Windows Server 2022 | =2.0 | |
Redhat Advanced Cluster Management For Kubernetes | =2.0 | |
Redhat Advanced Cluster Security | =3.0 | |
Redhat Advanced Cluster Security | =4.0 | |
Redhat Ansible Automation Platform | =2.0 | |
Redhat Build Of Optaplanner | =8.0 | |
Redhat Build Of Quarkus | ||
Microsoft Windows Server 2022 | =5.0 | |
Microsoft Windows Server 2016 | ||
Microsoft Windows Server 2016 | =8.0 | |
Microsoft Windows Server 2016 | =9.0 | |
Microsoft Visual Studio 2022 | ||
Microsoft .NET 6.0 | =2.0 | |
Redhat Decision Manager | =7.0 | |
IETF HTTP/2 | ||
Microsoft Windows 11 | ||
Redhat Integration Camel K | ||
Redhat Integration Service Registry | ||
Redhat Jboss A-mq | =7 | |
Microsoft Windows Server 2016 | ||
Microsoft .NET 7.0 | ||
Redhat Jboss Data Grid | =7.0.0 | |
Redhat Jboss Enterprise Application Platform | =6.0.0 | |
Redhat Jboss Enterprise Application Platform | =7.0.0 | |
Redhat Jboss Fuse | =6.0.0 | |
Redhat Jboss Fuse | =7.0.0 | |
Microsoft .NET 7.0 | ||
Microsoft Visual Studio 2022 | ||
Microsoft ASP.NET Core | =6.0 | |
Microsoft Windows Server 2022 | ||
IETF HTTP/2 | ||
Microsoft Windows Server 2022 | ||
Microsoft Windows Server 2019 | ||
IETF HTTP/2 | ||
Microsoft Windows Server 2022 | ||
IETF HTTP/2 | ||
Redhat Openshift Container Platform | =4.0 | |
Microsoft Windows Server 2019 | ||
Redhat Openshift Data Science | ||
Microsoft Windows Server 2022 | ||
Microsoft Windows Server 2022 | ||
Microsoft ASP.NET Core | ||
IETF HTTP/2 | ||
Microsoft .NET 7.0 | ||
Microsoft Windows 11 | ||
Microsoft .NET 7.0 | ||
Redhat Openshift Serverless | ||
Redhat Openshift Service Mesh | =2.0 | |
Microsoft Windows 11 | =4 | |
Redhat Openstack Platform | =16.1 | |
Redhat Openstack Platform | =16.2 | |
Redhat Openstack Platform | =17.1 | |
Redhat Process Automation | =7.0 | |
Redhat Quay | =3.0.0 | |
Microsoft Windows 10 | ||
Redhat Satellite | =6.0 | |
Microsoft Windows Server 2016 | ||
Microsoft Windows Server 2016 | =1.0 | |
Redhat Single Sign-on | =7.0 | |
Microsoft Windows Server 2016 | ||
Microsoft .NET 6.0 | ||
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 | |
Microsoft Windows 10 | =1.5 | |
Redhat Enterprise Linux | =8.0 | |
Fedoraproject Fedora | =38 | |
Microsoft Windows Server 2019 | ||
Microsoft Windows 11 | <10.5.3 | |
Microsoft ASP.NET Core | <3.4.2 | |
Microsoft .NET 7.0 | ||
Microsoft Windows Server 2016 | ||
Microsoft Windows Server 2016 | ||
Grpc Grpc | <=1.59.2 | |
Nodejs Node.js | >=18.0.0<18.18.2 | |
Nodejs Node.js | >=20.0.0<20.8.1 | |
Microsoft .NET 6.0 | >=2.12.0<=2.12.5 | |
Microsoft .NET 6.0 | =2.13.0 | |
Microsoft .NET 6.0 | =2.13.1 | |
Microsoft .NET 6.0 | =2.14.0 | |
Microsoft .NET 6.0 | =2.14.1 | |
All of | ||
Microsoft Windows 10 | =1.5 | |
Redhat Enterprise Linux | =8.0 | |
Fedoraproject Fedora | =37 | |
Jenkins Jenkins | <=2.414.2 | |
Jenkins Jenkins | <=2.427 | |
Apache Solr | <9.4.0 | |
Openresty Openresty | <1.21.4.3 | |
Cisco Connected Mobile Experiences | <11.1 | |
Apple Xcode | <4.1.3 | |
Apple Xcode | =5.0 | |
Apache Log4j2 | <6.0.0 | |
Cisco Data Center Network Manager | ||
Cisco Enterprise Chat and Email | ||
Cisco Expressway | <x14.3.3 | |
Cisco Firepower Threat Defense | <7.4.2 | |
Cisco IoT Field Network Director | <4.11.0 | |
Cisco Prime Access Registrar | <9.3.3 | |
Microsoft Windows Server 2016 | <7.2.1 | |
Cisco Prime Infrastructure | <3.10.4 | |
Cisco Prime Network Registrar | <11.2 | |
Microsoft Windows Server 2016 | <2.2.0 | |
Microsoft Windows Server 2016 | <2.19.2 | |
Cisco TelePresence Video Communication Server | <x14.3.3 | |
Microsoft Windows Server 2016 | <2024.01.0 | |
Microsoft Windows Server 2016 | =2024.01.0 | |
Microsoft Windows Server 2016 | <2024.02.0 | |
Microsoft Windows Server 2016 | <2024.02.0 | |
Microsoft Windows Server 2016 | ||
Microsoft Windows Server 2016 | ||
Cisco Unified Contact Center Enterprise | ||
Microsoft Windows Server 2016 | <12.6.2 | |
Cisco Unified Contact Center Management Portal | ||
Cisco Fog Director | <1.22 | |
Cisco IOS XE | <17.15.1 | |
Cisco IOS XR | <7.11.2 | |
All of | ||
Microsoft Windows Server 2016 | <15.1.0 | |
Cisco Secure Web Appliance | ||
All of | ||
Any of | ||
Cisco Nx-os | <10.2\(7\) | |
Cisco Nx-os | >=10.3\(1\)<10.3\(5\) | |
Any of | ||
Cisco Nexus 3016 | ||
Cisco Nexus 3016q | ||
Cisco Nexus 3048 | ||
Cisco Nexus 3064 | ||
Cisco Nexus 3064-32t | ||
Cisco Nexus 3064-t | ||
Cisco Nexus 3064-x | ||
Cisco Nexus 3064t | ||
Cisco Nexus 3064x | ||
Cisco Nexus 3100 | ||
Cisco Nexus 3100-v | ||
Cisco Nexus 3100-z | ||
Cisco Nexus 3100v | ||
Cisco Nexus 31108pc-v | ||
Cisco Nexus 31108pv-v | ||
Cisco Nexus 31108tc-v | ||
Cisco Nexus 31128pq | ||
Cisco Nexus 3132c-z | ||
Cisco Nexus 3132q | ||
Cisco Nexus 3132q-v | ||
Cisco Nexus 3132q-x | ||
Cisco Nexus 3132q-x\/3132q-xl | ||
Cisco Nexus 3132q-xl | ||
Cisco Nexus 3164q | ||
Cisco Nexus 3172 | ||
Cisco Nexus 3172pq | ||
Cisco Nexus 3172pq-xl | ||
Cisco Nexus 3172pq\/pq-xl | ||
Cisco Nexus 3172tq | ||
Cisco Nexus 3172tq-32t | ||
Cisco Nexus 3172tq-xl | ||
Cisco Nexus 3200 | ||
Cisco Nexus 3232 | ||
Cisco Nexus 3232c | ||
Cisco Nexus 3232c | ||
Cisco Nexus 3264c-e | ||
Cisco Nexus 3264q | ||
Cisco Nexus 3400 | ||
Cisco Nexus 3408-s | ||
Cisco Nexus 34180yc | ||
Cisco Nexus 34200yc-sm | ||
Cisco Nexus 3432d-s | ||
Cisco Nexus 3464c | ||
Cisco Nexus 3500 | ||
Cisco Nexus 3524 | ||
Cisco Nexus 3524-x | ||
Cisco Nexus 3524-x\/xl | ||
Cisco Nexus 3524-xl | ||
Cisco Nexus 3548 | ||
Cisco Nexus 3548-x | ||
Cisco Nexus 3548-x\/xl | ||
Cisco Nexus 3548-xl | ||
Cisco Nexus 3600 | ||
Cisco Nexus 36180yc-r | ||
Cisco Nexus 3636c-r | ||
All of | ||
Any of | ||
Cisco Nx-os | <10.2\(7\) | |
Cisco Nx-os | >=10.3\(1\)<10.3\(5\) | |
Any of | ||
Cisco Nexus 9000v | ||
Cisco Nexus 9200 | ||
Cisco Nexus 9200yc | ||
Cisco Nexus 92160yc-x | ||
Cisco Nexus 92160yc Switch | ||
Cisco Nexus 9221c | ||
Cisco Nexus 92300yc | ||
Cisco Nexus 92300yc Switch | ||
Cisco Nexus 92304qc | ||
Cisco Nexus 92304qc Switch | ||
Cisco Nexus 9232e | ||
Cisco Nexus 92348gc-x | ||
Cisco Nexus 9236c | ||
Cisco Nexus 9236c Switch | ||
Cisco Nexus 9272q | ||
Cisco Nexus 9272q Switch | ||
Cisco Nexus 9300 | ||
Cisco Nexus 93108tc-ex | ||
Cisco Nexus 93108tc-ex-24 | ||
Cisco Nexus 93108tc-ex Switch | ||
Cisco Nexus 93108tc-fx | ||
Cisco Nexus 93108tc-fx-24 | ||
Cisco Nexus 93108tc-fx3h | ||
Cisco Nexus 93108tc-fx3p | ||
Cisco Nexus 93120tx | ||
Cisco Nexus 93120tx Switch | ||
Cisco Nexus 93128 | ||
Cisco Nexus 93128tx | ||
Cisco Nexus 93128tx Switch | ||
Cisco Nexus 9316d-gx | ||
Cisco Nexus 93180lc-ex | ||
Cisco Nexus 93180lc-ex Switch | ||
Cisco Nexus 93180tc-ex | ||
Cisco Nexus 93180yc-ex | ||
Cisco Nexus 93180yc-ex-24 | ||
Cisco Nexus 93180yc-ex Switch | ||
Cisco Nexus 93180yc-fx | ||
Cisco Nexus 93180yc-fx-24 | ||
Cisco Nexus 93180yc-fx3 | ||
Cisco Nexus 93180yc-fx3h | ||
Cisco Nexus 93180yc-fx3s | ||
Cisco Nexus 93216tc-fx2 | ||
Cisco Nexus 93240tc-fx2 | ||
Cisco Nexus 93240yc-fx2 | ||
Cisco Nexus 9332c | ||
Cisco Nexus 9332d-gx2b | ||
Cisco Nexus 9332d-h2r | ||
Cisco Nexus 9332pq | ||
Cisco Nexus 9332pq Switch | ||
Cisco Nexus 93360yc-fx2 | ||
Cisco Nexus 9336c-fx2 | ||
Cisco Nexus 9336c-fx2-e | ||
Cisco Nexus 9336pq | ||
Cisco Nexus 9336pq Aci | ||
Cisco Nexus 9336pq Aci Spine | ||
Cisco Nexus 9336pq Aci Spine Switch | ||
Cisco Nexus 9348d-gx2a | ||
Cisco Nexus 9348gc-fx3 | ||
Cisco Nexus 9348gc-fxp | ||
Cisco Nexus 93600cd-gx | ||
Cisco Nexus 9364c | ||
Cisco Nexus 9364c-gx | ||
Cisco Nexus 9364d-gx2a | ||
Cisco Nexus 9372px | ||
Cisco Nexus 9372px-e | ||
Cisco Nexus 9372px-e Switch | ||
Cisco Nexus 9372px Switch | ||
Cisco Nexus 9372tx | ||
Cisco Nexus 9372tx-e | ||
Cisco Nexus 9372tx-e Switch | ||
Cisco Nexus 9372tx Switch | ||
Cisco Nexus 9396px | ||
Cisco Nexus 9396px Switch | ||
Cisco Nexus 9396tx | ||
Cisco Nexus 9396tx Switch | ||
Cisco Nexus 9408 | ||
Cisco Nexus 9432pq | ||
Cisco Nexus 9500 | ||
Cisco Nexus 9500 16-slot | ||
Cisco Nexus 9500 4-slot | ||
Cisco Nexus 9500 8-slot | ||
Cisco Nexus 9500 Supervisor A | ||
Cisco Nexus 9500 Supervisor A\+ | ||
Cisco Nexus 9500 Supervisor B | ||
Cisco Nexus 9500 Supervisor B\+ | ||
Cisco Nexus 9500r | ||
Cisco Nexus 9504 | ||
Cisco Nexus 9504 Switch | ||
Cisco Nexus 9508 | ||
Cisco Nexus 9508 Switch | ||
Cisco Nexus 9516 | ||
Cisco Nexus 9516 Switch | ||
Cisco Nexus 9536pq | ||
Cisco Nexus 9636pq | ||
Cisco Nexus 9716d-gx | ||
Cisco Nexus 9736pq | ||
Cisco Nexus 9800 | ||
Cisco Nexus 9804 | ||
Cisco Nexus 9808 | ||
IBM Secure Proxy | <=6.0.3 | |
IBM Secure Proxy | <=6.1.0 | |
maven/com.typesafe.akka:akka-http-core_2.11 | <=10.1.15 | |
maven/com.typesafe.akka:akka-http-core_2.12 | <10.5.3 | 10.5.3 |
maven/com.typesafe.akka:akka-http-core_2.13 | <10.5.3 | 10.5.3 |
maven/com.typesafe.akka:akka-http-core | <10.5.3 | 10.5.3 |
maven/org.eclipse.jetty.http2:jetty-http2-server | >=12.0.0<12.0.2 | 12.0.2 |
maven/org.eclipse.jetty.http2:jetty-http2-common | >=12.0.0<12.0.2 | 12.0.2 |
maven/org.eclipse.jetty.http2:http2-server | >=11.0.0<11.0.17 | 11.0.17 |
maven/org.eclipse.jetty.http2:http2-server | >=10.0.0<10.0.17 | 10.0.17 |
maven/org.eclipse.jetty.http2:http2-server | >=9.3.0<9.4.53 | 9.4.53 |
maven/org.eclipse.jetty.http2:http2-common | >=11.0.0<11.0.17 | 11.0.17 |
maven/org.eclipse.jetty.http2:http2-common | >=10.0.0<10.0.17 | 10.0.17 |
maven/org.eclipse.jetty.http2:http2-common | >=9.3.0<9.4.53 | 9.4.53 |
swift/github.com/apple/swift-nio-http2 | <1.28.0 | 1.28.0 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.5.0<8.5.94 | 8.5.94 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0<9.0.81 | 9.0.81 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=10.0.0<10.1.14 | 10.1.14 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=11.0.0-M1<11.0.0-M12 | 11.0.0-M12 |
maven/org.apache.tomcat:tomcat | >=8.5.0<8.5.94 | 8.5.94 |
maven/org.apache.tomcat:tomcat | >=9.0.0<9.0.81 | 9.0.81 |
maven/org.apache.tomcat:tomcat | >=10.0.0<10.1.14 | 10.1.14 |
maven/org.apache.tomcat:tomcat | >=11.0.0-M1<11.0.0-M12 | 11.0.0-M12 |
go/google.golang.org/grpc | <1.56.3 | 1.56.3 |
go/google.golang.org/grpc | >=1.57.0<1.57.1 | 1.57.1 |
go/google.golang.org/grpc | >=1.58.0<1.58.3 | 1.58.3 |
go/golang.org/x/net | <0.17.0 | 0.17.0 |
redhat/golang | <1.21.3 | 1.21.3 |
redhat/golang | <1.20.10 | 1.20.10 |
redhat/tomcat | <11.0.0 | 11.0.0 |
redhat/tomcat | <10.1.14 | 10.1.14 |
redhat/tomcat | <9.0.81 | 9.0.81 |
redhat/tomcat | <8.5.94 | 8.5.94 |
redhat/nghttp2 | <1.57.0 | 1.57.0 |
redhat/netty | <4.1.100. | 4.1.100. |
ubuntu/dotnet6 | <6.0.123-0ubuntu1~22.04.1 | 6.0.123-0ubuntu1~22.04.1 |
ubuntu/dotnet6 | <6.0.123-0ubuntu1~23.04.1 | 6.0.123-0ubuntu1~23.04.1 |
ubuntu/dotnet6 | <6.0.123-0ubuntu1 | 6.0.123-0ubuntu1 |
ubuntu/dotnet6 | <6.0.23 | 6.0.23 |
ubuntu/dotnet7 | <7.0.112-0ubuntu1~22.04.1 | 7.0.112-0ubuntu1~22.04.1 |
ubuntu/dotnet7 | <7.0.112-0ubuntu1~23.04.1 | 7.0.112-0ubuntu1~23.04.1 |
ubuntu/dotnet7 | <7.0.112-0ubuntu1 | 7.0.112-0ubuntu1 |
ubuntu/dotnet7 | <7.0.12 | 7.0.12 |
ubuntu/dotnet8 | <8.0.100-8.0.0~ | 8.0.100-8.0.0~ |
ubuntu/dotnet8 | <8.0.0- | 8.0.0- |
ubuntu/golang-1.20 | <1.20.3-1ubuntu0.1~20.04.1 | 1.20.3-1ubuntu0.1~20.04.1 |
ubuntu/golang-1.20 | <1.20.3-1ubuntu0.1~22.04.1 | 1.20.3-1ubuntu0.1~22.04.1 |
ubuntu/golang-1.20 | <1.20.3-1ubuntu0.2 | 1.20.3-1ubuntu0.2 |
ubuntu/golang-1.20 | <1.20.8-1ubuntu0.23.10.1 | 1.20.8-1ubuntu0.23.10.1 |
ubuntu/golang-1.21 | <1.21.1-1~ubuntu20.04.2 | 1.21.1-1~ubuntu20.04.2 |
ubuntu/golang-1.21 | <1.21.1-1~ubuntu22.04.2 | 1.21.1-1~ubuntu22.04.2 |
ubuntu/golang-1.21 | <1.21.1-1~ubuntu23.04.2 | 1.21.1-1~ubuntu23.04.2 |
ubuntu/golang-1.21 | <1.21.1-1ubuntu0.23.10.1 | 1.21.1-1ubuntu0.23.10.1 |
ubuntu/nghttp2 | <1.40.0-1ubuntu0.2 | 1.40.0-1ubuntu0.2 |
ubuntu/nghttp2 | <1.43.0-1ubuntu0.1 | 1.43.0-1ubuntu0.1 |
ubuntu/nghttp2 | <1.52.0-1ubuntu0.1 | 1.52.0-1ubuntu0.1 |
ubuntu/nghttp2 | <1.55.1-1ubuntu0.1 | 1.55.1-1ubuntu0.1 |
ubuntu/tomcat10 | <10.1.14 | 10.1.14 |
ubuntu/tomcat8 | <8.5.94 | 8.5.94 |
ubuntu/tomcat9 | <9.0.81 | 9.0.81 |
Fortinet FortiOS | >=7.4.0<=7.4.1 | |
Fortinet FortiOS | >=7.2.0<=7.2.6 | |
Fortinet FortiOS | >=7.0.0<=7.0.13 | |
Fortinet FortiProxy | >=7.4.0<=7.4.1 | |
Fortinet FortiProxy | >=7.2.0<=7.2.7 | |
Fortinet FortiProxy | >=7.0 | |
debian/dnsdist | <=1.5.1-3<=1.7.3-2 | 1.3.3-3 1.8.3-2 1.9.3-1 |
debian/grpc | <=1.16.1-1<=1.30.2-3<=1.51.1-3<=1.51.1-4<=1.51.1-4.1 | |
debian/h2o | <=2.2.5+dfsg2-2+deb10u1<=2.2.5+dfsg2-6<=2.2.5+dfsg2-7 | 2.2.5+dfsg2-2+deb10u2 2.2.5+dfsg2-8 2.2.5+dfsg2-8.1 |
debian/haproxy | 1.8.19-1+deb10u3 1.8.19-1+deb10u5 2.2.9-2+deb11u6 2.6.12-1+deb12u1 2.9.5-1 2.9.7-1 | |
debian/jetty9 | <=9.4.16-0+deb10u1 | 9.4.50-4+deb10u2 9.4.50-4+deb11u1 9.4.50-4+deb11u2 9.4.50-4+deb12u2 9.4.50-4+deb12u3 9.4.54-1 |
debian/netty | <=1:4.1.33-1+deb10u2 | 1:4.1.33-1+deb10u4 1:4.1.48-4+deb11u2 1:4.1.48-7+deb12u1 1:4.1.48-9 |
debian/nghttp2 | <=1.36.0-2+deb10u1 | 1.36.0-2+deb10u2 1.43.0-1+deb11u1 1.52.0-1+deb12u1 1.59.0-1 1.61.0-1 |
debian/nginx | <=1.14.2-2+deb10u4<=1.14.2-2+deb10u5<=1.18.0-6.1+deb11u3<=1.22.1-9 | 1.24.0-2 |
debian/tomcat10 | 10.1.6-1+deb12u1 10.1.6-1+deb12u2 10.1.23-1 | |
debian/tomcat9 | <=9.0.31-1~deb10u6 | 9.0.31-1~deb10u12 9.0.43-2~deb11u9 9.0.43-2~deb11u10 9.0.70-2 |
debian/trafficserver | <=8.0.2+ds-1+deb10u6 | 8.1.7-0+deb10u3 8.1.9+ds-1~deb11u1 8.1.10+ds-1~deb11u1 9.2.3+ds-1+deb12u1 9.2.4+ds-0+deb12u1 9.2.4+ds-2 |
debian/varnish | <=6.1.1-1+deb10u3<=6.1.1-1+deb10u4<=6.5.1-1+deb11u3<=7.1.1-1.1<=7.1.1-1.2 |
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)