Ultimate Guide to Patching Web Servers Against HTTP2 Rapid Reset Vulnerability

The HTTP/2 Rapid Reset vulnerability poses a significant threat to web server security, allowing attackers to exploit the RST_STREAM feature in the HTTP/2 protocol to deplete server resources and potentially take services offline. This guide provides an in-depth look at how to patch various web servers against this vulnerability, ensuring that your infrastructure remains secure and resilient against such attacks.

Introduction to HTTP/2 Rapid Reset Vulnerability

[Figure 1] Rapid Reset Attack

The HTTP/2 protocol enhances web performance by allowing multiple requests and responses to be multiplexed over a single connection. However, the exploitation of the RST_STREAM frame in HTTP/2, referred to as the Rapid Reset attack, can disrupt this efficiency, leading to denial-of-service conditions.

Web Server Patching Strategies

1. Apache Web Server

• Update to 2.4.58: Ensure Apache is updated to version 2.4.58 or later to address the Rapid Reset vulnerability and other related issues.
• Configuration Adjustments: Apache’s default handling of HTTP/2 requests mitigates the impact of Rapid Reset attacks by limiting the initial number of concurrent streams. No additional configuration changes are necessary for mitigation.
• Details
  • Apache is not affected by the Rapid Reset vulnerability. There is logic in HTTP2 requests that does not allocate all of the server’s resources based on the client’s request.
  • When Apache implemented HTTP2, it was implemented to only process the first six requests.(The reason it’s six is because it’s the same number as the parallel requests in HTTP1.1, and it takes into account the migration from HTTP1.1 to 2.)
  • However it should be updated because of another vulnerability (CVE-2023-45802) triggered by Rapid Reset. There is a bug where if the client cancels a request (sends RST_STREAM), in rare cases, the requested memory is not immediately freed.
  • The mod_http2 module uses the nghttp2 library, which is written in C. This is fixed by compiling using nghttp2 1.57 or later, or by updating to Apache 2.4.58 (which uses the nghttp 1.57 library) or later. In addition, nghttp 1.57 is the version that addresses the CVE-2023-45802 vulnerability. nghttp2 link

2. Nginx Web Server

• Update to Version 1.25.3: This version introduces fixes related to HTTP/2 handling that mitigate the vulnerability.
• Configuration Recommendations:
  • Keep keepalive_requests at the default value of 1000.
  • Maintain http2_max_concurrent_streams at 128 to prevent abuse.
  • Use limit_conn and limit_req directives to impose stricter limits on client requests, further reducing the risk of exploitation.

3. LiteSpeed Web Server

• Inherent Protection: LiteSpeed servers are not affected by the HTTP/2 Rapid Reset vulnerability due to their prioritized queue system for processing streams.
• Best Practices: Regularly update LiteSpeed to the latest version to ensure all security measures are up-to-date.
• Reference: LightSpeed
  • According to the documentation, LightSpeed uses a prioritized queue for processing streams, which can handle up to 100 streams at a time.

4. HAProxy

• Use Version 1.9 or Later: HAProxy versions from 1.9 onwards are designed to handle HTTP/2 streams in a manner that is not susceptible to the Rapid Reset attack.
• Resource Management: HAProxy’s strategy of managing resources based on stream demands inherently mitigates the attack’s effectiveness.
• Reference: HAProxy Link

5. Microsoft IIS

• Apply Security Updates: Follow the guidance provided by Microsoft to apply the necessary security updates for your IIS version.
• Disable HTTP/2: As a temporary measure, disabling HTTP/2 can prevent exploitation, though it may impact performance.
  1. Run regedit and go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
  2. EnableHttp2Tls, EnableHttp2Cleartext change the value to 0.
• Reference: Microsoft vulenrability

6. Tomcat

• Update Tomcat Version: Upgrade to Tomcat 8.5.94, 9.0.81, 10.1.14, or later versions to mitigate the vulnerability.
• Adjust maxConcurrentStreams: If immediate update is not possible, reducing maxConcurrentStreams to a lower value can offer temporary protection.
  • <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" maxConcurrentStreams="20" />
  • Reference
    • Max Concurrent Streams
    • Fix Commit

Conclusion

Patching and properly configuring your web server is crucial to defending against the HTTP/2 Rapid Reset vulnerability. By following the strategies outlined in this guide, you can significantly enhance your server’s resilience to these types of attacks. Always ensure that your systems are up-to-date with the latest security patches and follow best practices for web server configuration and maintenance.