Upgrade to mitigate the Rapid Reset Attack vulnerability
by Albert Lombarte
A new patch version KrakenD Enterprise 2.4.2, and another for KrakenD Community 2.4.6 is available on the download page and the Docker registry, addressing a critical security issue related to Distributed Denial of Service (DDoS) vulnerabilities in HTTP/2 server implementations
More specifically this upgrade addresses CVE-2023-44487 and CVE-2023-39325", known as the “Rapid Reset Attack.”
These vulnerabilities have been rated with a CVSSv3 Score of 7.5 and are classified as having an important security impact.
It’s worth noting that the US Cybersecurity and Infrastructure Security Agency (CISA) has declared this vulnerability as an active exploit, and KrakenD is releasing a fix quickly on day zero.
The technical aspect of these vulnerabilities involves the attacker creating numerous streams and then canceling each one, which results in resource starvation on the server, rendering it unable to process valid requests.
For mitigation, users are strongly advised to update their software right now. For customers who cannot upgrade the software, disable HTTP/2, and use IP-based blocking or flood protection.
The importance of upgrading the software lies in safeguarding your systems against these vulnerabilities, which have active exploits and can lead to service disruption due to DDoS attacks. By applying the recommended updates and mitigations, you enhance the security of your infrastructure and protect it from potential threats.
For more detailed information and specific instructions on mitigations for various software components, you can refer to the provided references and resources below.
In summary, prompt software upgrades and following the suggested mitigation strategies are critical to addressing these security vulnerabilities and maintaining the integrity and availability of your systems.
🚀 Summary of changes for EEv2.4
Addresses the Distributed Denial of Service (DDoS) vulnerability affecting several HTTP/2 server implementations, which are assigned CVE-2023-44487 and CVE-2023-39325, known as Rapid Reset Attack.
- Introduced a fix to address CVE-2023-44487
- Introduced a fix to address CVE-2023-39325
Upgrading to the latest version is always advised.