nacos
nacos copied to clipboard
alibaba
【安全漏洞】Apache HTTP/2 协议拒绝服务漏洞(CVE-2023-44487)
HTTP/2 网络协议是HTTP(超文本传输协议)的第二个版本,通过客户端和服务器之间的多路复用(即:同时在单个连接上发送多个HTTP请求和响应)提高数据传输的性能和效率,互联网中约 62% 的服务使用 HTTP/2 协议。HTTP/2 协议的 Rapid Reset 缺陷指攻击者可以在 HTTP/2 协议中创建新的多路复用流,然后立即发送取消流(RST_STREAM),导致服务器不断分配资源处理流的创建和取消请求,最终资源耗尽导致拒绝服务。目前此漏洞已被在野利用,并且影响产品较多,目前 Netty、Go、Apache tomcat、grpc-go、jetty、nghttp2、Apache traffic server、Nginx、Vespa Cloud等修复该漏洞。Nginx 默认配置允许客户端最多保持1000个HTTP连接(可通过 keepalive 配置),默认配置下不受该漏洞影响。
建议受影响用户升级至以下版本: Apache Tomcat >= 11.0.0-M12、10.1.14、9.0.81、8.5.94
The HTTP/2 network protocol is the second version of the HTTP (Hypertext Transfer Protocol) which improves the performance and efficiency of data transmission by implementing multiplexing, allowing multiple HTTP requests and responses to be sent on a single connection. Approximately 62% of services on the internet use the HTTP/2 protocol. The Rapid Reset vulnerability in the HTTP/2 protocol allows attackers to create new streams in the HTTP/2 protocol and then immediately send a cancel stream (RST_STREAM), causing the server to continuously allocate resources to handle the creation and cancellation of streams, eventually leading to resource exhaustion and denial of service. This vulnerability is currently being exploited and affects a wide range of products. Netty, Go, Apache Tomcat, grpc-go, Jetty, nghttp2, Apache Traffic Server, Nginx, Vespa Cloud have all fixed this vulnerability. Nginx's default configuration allows clients to maintain up to 1000 HTTP connections (configurable through keepalive settings), and is not affected by this vulnerability under the default configuration.
It is recommended for affected users to upgrade to the following versions: Apache Tomcat >= 11.0.0-M12, 10.1.14, 9.0.81, 8.5.94.
Nacos 没有使用 tomcat的http2服务, 暂时只使用tomcat的http1.1 ,暂无相关风险, 伴随spring boot版本升级进行。
