CVE-2023-44487
Published: 10 October 2023
Summary
CVE-2023-44487 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and AC-10 (Concurrent Session Control).
Deeper analysis
The vulnerability CVE-2023-44487 is a denial-of-service flaw in the HTTP/2 protocol that stems from rapid request cancellation, which allows an attacker to reset many streams in quick succession and exhaust server resources. It affects any HTTP/2 server implementation that processes such cancellations without sufficient rate limiting or resource controls, and carries a CVSS 3.1 score of 7.5 reflecting high availability impact over a network with no authentication required.
Unauthenticated remote attackers can exploit the issue by sending a flood of HTTP/2 requests followed by immediate RST_STREAM frames, driving up CPU and memory consumption on the target server until it becomes unresponsive. The flaw was actively exploited in the wild between August and October 2023.
Multiple oss-security advisories referenced in the disclosure discuss vendor-specific patches and configuration changes to mitigate stream-reset abuse. The EPSS score has remained near its peak of 0.9450 with a current value of 0.9439, indicating sustained exploitation interest following public release.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2795
Vulnerability details
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CWE(s)
- KEV Date Added
- 10 October 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires mechanisms to protect against denial-of-service attacks that consume server resources via rapid HTTP/2 stream resets.
Limits the number of concurrent HTTP/2 streams per session, reducing an attacker's ability to trigger mass cancellations.
Ensures resource availability by prioritizing or throttling allocation during high-volume stream-reset floods.