CVE-2023-44487 impacts internet exposed HTTP/2 endpoints

Article: 100060957
Last Published: 2023-10-31
Ratings: 0 0
Product(s): System Recovery

The vulnerability CVE-2023-44487 impacts internet exposed HTTP/2 endpoints. It is identified that Distributed Denial-of-Service (DDoS) attack technique is used in the wild targeting HTTP/2 protocol.

Applicable to: Veritas System Recovery 21 and above



The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancelation can reset many streams quickly, as exploited in the wild in August through October 2023


The CVE-2023-44487 HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests using HEADERS followed by RST_STREAM and repeating this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion.

Solution or Workaround:

Veritas System Recovery (VSR) uses web services for REST API functionality. The request for VSR REST API web services can happen over HTTP/2 version. As a workaround, Microsoft suggests disabling HTTP/2 version in a machine. When HTTP/2 version for VSR REST API web service is disabled then VSR will use other non-vulnerable supported HTTP versions instead of using HTTP/2 for REST API functionality.

If affected by the vulnerability, refer to the Microsoft Security Update Guide in all cases. It is recommended to enable Azure Web Application Firewall (WAF) on Azure Front Door or Azure Application Gateway to improve security posture.

Disable HTTP/2 Protocol on a machine where VSR is Installed

1. Click Start.

2. Click Run and enter Regedit and click OK.

3. Locate and then select the registry subkey:

4. Set DWORD type values EnableHttp2Tls and EnableHttp2Cleartext to one of the following:
    Set to 0 to disable HTTP/2

5. Exit Registry Editor and Restart the computer


Was this content helpful?