Dive Brief:
- The Cybersecurity and Infrastructure Security Agency called on organizations Tuesday to apply patches and consider possible configuration changes after security researchers warned a high-severity vulnerability, called HTTP/2 Rapid Reset, was exploited to launch record-breaking distributed denial of service attacks.
- F5 urged users of its Nginx open source project to apply immediate upgrades to configuration files, as the vulnerability can be exploited to launch denial of service attacks against Nginx Open Source, Nginx Plus and related products, according to a blog post released Tuesday.
- Microsoft said in a Tuesday blog post there was no evidence of customer data being compromised, however urged customers that are self-hosting web applications to apply security patches.
Dive Insight:
In a coordinated disclosure released Tuesday with AWS and Google, Cloudflare warned malicious actors have been launching a series of record-breaking DDoS attacks since late August.
The attackers are exploiting the high-severity vulnerability, tracked as CVE-2023-44487, to launch attacks that reached as high as 398 million requests per second, according to a Tuesday blog post by Google.
HTTP/2 is a protocol developed in 2015, which replaced the original hypertext transfer protocol, to enable more efficient data streams. Experts however say HTTP/2’s ability to conduct faster streams opens it up to more powerful attacks.
Nginx is a widely used open source web server, load balancer and reverse proxy. Nginx normally limits the number of concurrent streams at 128 up to a maximum of 1,000, according to the blog post. However, if Nginx is configured for a higher number of requests, an attack could deplete system resources.
The company is taking additional steps to “ensure that customers who do need to configure Nginx beyond recommended specifications are able to do so,” an F5 spokesperson said via email. The company said it will release a patch Wednesday that will increase stability for such conditions.