THREESCALE-10224 CVE-2023-44487 http/2 rapid reset #1417
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Fixes https://issues.redhat.com/browse/THREESCALE-10224
CVE-2023-44487 (HTTP/2 Rapid Reset) fix
The actual fix is two-fold:
TL;DR the Rapid reset sec threat is about doing lot's of requests with rapid reset right after sending the request so the [http2_max_concurrent_streams|http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_max_concurrent_streams] threshold is never reached.
With the openresty [lua_check_client_abort|https://github.com/openresty/lua-nginx-module#lua_check_client_abort] disabled, apicast was not honoring the resets and the http2_max_concurrent_streams threshold (128 by default in nginx) was hit. Even though the client was sending the reset. So, APICast was protected to the rapid reset sec threat. However that happened because HTTP2 protocol was not correctly implemented. APICast was sending data even after receiving the reset in the closed stream.
Thus, this PR enables lua_check_client_abort, which makes APIcast to respect the resets, thus making it vulnerable to the rapid reset sec threat. But also more compliant with HTTP2. The protection against the rapid reset sec threat comes from the nginx fix http://hg.nginx.org/nginx/rev/cdda286c0f1b
The client used to exploit the rapid reset vulnerability: https://github.com/eguzki/nice-cve-poc/tree/ssl-optional
Related links:
Verification steps
apicast-cve-2023-44487
client sent too many streams at once while processing HTTP/2 connection
. That log is generated by the fix from nginx http://hg.nginx.org/nginx/rev/cdda286c0f1bThe apicast log line should show