Skip to content

initial draft of CVE-2023-44487 blog post #1695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 12, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
initial draft of CVE-2023-44487 blog post
Signed-off-by: William Morgan <william@buoyant.io>
  • Loading branch information
wmorgan committed Oct 11, 2023
commit 4b9c6836471bc8270ab48aae6fd2181bc73fd632
104 changes: 104 additions & 0 deletions linkerd.io/content/blog/2023/1011-cve-2023-44487.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
---
title: 'How Linkerd responded to CVE-2023-44487, the HTTP/2 DDOS vulnerability, six months ago'
author: 'william'
date: 2023-10-11T00:00:00+00:00
thumbnail: /images/djim-loic-ft0-Xu4nTvA-unsplash.jpg
draft: false
featured: false
slug: linkerd-cve-2023-44487
tags: [Linkerd]
---

![A fast-moving block](/images/djim-loic-ft0-Xu4nTvA-unsplash.jpg)

Yesterday, [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487), a
DDOS vulnerability in many HTTP/2 implementations, was disclosed. This was a
very interesting attack and there have been several great writeups on how it
works—see Cloudflare's [HTTP/2 Rapid Reset: deconstructing the record-breaking
attack](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)
and Google's [How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS
attack](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)
for many details of how this attack works and the consequences.

We're happy to report that due to Linkerd's internal security policies and the
security-awareness and rapid response of the Rust community, all recent versions
of Linkerd are resilient to this class of DDOS attack. (In fact, Linkerd can
actually help users who have vulnerable ingress proxies—simple mesh them with
Linkerd and have it handle HTTP/2 traffic.)

Versions of Linkerd that are resilient to CVE-2023-44487 include:

* All versions of Linkerd 2.14.x
* Linkerd 2.13.1 and all later minor versions of Linkerd 2.13
* Linkerd 2.12.5 and all later minor versions of Linkerd 2.12

Astute Linkerd adopters will realize that these versions are all as of April
2023, six months ago. This is thanks to our rigorous vulnerability mitigation
procedures, and to the security-mindedness and fast response of the Rust
community.

Let's see just how this feat happened.

## Linkerd is a security-first project

It's no understatement to say that Linkerd treats security as a critical
requirement. Organizations around the world rely on Linkerd for everything from
protecting sensitive customer medical and financial data, to scheduling COVID
tests, to building 911 call centers. For some people, Linkerd is quite literally
a life-or-death project.

Part of that approach is the choice of technologies like Rust, of course, which
allow us to avoid an entire class of buffer overflow exploits and other
vulnerabilities that are endemic to languages like C and C++.

But another, just as important part is simply how seriously the project takes
potential security vulnerabilities. Tracing the path to resolution for
CVE-2023-44487 is a great example of that. Here's how it happened:

This issue was first tracked as a vulnerability in the Rust community as
[RUSTSEC-2023-0034](https://rustsec.org/advisories/RUSTSEC-2023-0034.html) on
April 14, 2023. At that point it had actually already been fixed in h2, the
underlying library that Linkerd uses to parse HTTP/2 requests, as a change that
had gone out [on April 12th, two days
earlier](https://github.com/hyperium/h2/pull/668).

The fix was published in [h2
v0.3.17](https://rustsec.org/advisories/RUSTSEC-2023-0034.html). Linkerd
automatically pulled in that dependency [on April
13th](https://github.com/linkerd/linkerd2-proxy/commit/67306bc7ba19286352762362e4e1876ce5924442)
via [GitHub's Dependabot](https://github.com/dependabot), the automated
dependency tool that Linkerd uses to ensure it stays up-to-date with critical
dependencies, where it was published as [proxy release
v2.198.1](https://github.com/linkerd/linkerd2-proxy/releases/tag/release%2Fv2.198.1).

On April 13th, the proxy version [was pulled into the main Linkerd
repo](https://github.com/linkerd/linkerd2/commit/19a404fd196e251e969ac6c4a552a3c7af698dc5).
On April 14th, we pushed it to [Linkerd
2.13.1](https://github.com/linkerd/linkerd2/releases/tag/stable-2.13.1)—two days
after the underlying fix in h2, and the same day it was recognized as an
vulnerability in the Rust ecosystem. The fix also went out on
[edge-23.4.2](https://github.com/linkerd/linkerd2/releases/tag/edge-23.4.2) on
April 21st, and from there it was in all future and stable releases.

In short: two days after the fix was made in the underlying Rust HTTP/2 library,
it was already in the hands of Linkerd users as a stable release, and all
Linkerd releases since April have been protected against this vulnerability.
While this vulnerability is making the news this week, Linkerd adopters have
been protected for almost 6 months.

## Linkerd is for everyone

Linkerd is a graduated project of the [Cloud Native Computing
Foundation](https://cncf.io/). Linkerd is [committed to open
governance.](/2019/10/03/linkerds-commitment-to-open-governance/) If you have
feature requests, questions, or comments, we'd love to have you join our
rapidly-growing community! Linkerd is hosted on
[GitHub](https://github.com/linkerd/), and we have a thriving community on
[Slack](https://slack.linkerd.io/), [Twitter](https://twitter.com/linkerd), and
the [mailing lists](/community/get-involved/). Come and join the fun!

(Photo by [Djim
Loic](https://unsplash.com/@loic?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash)
on
[Unsplash](https://unsplash.com/photos/ft0-Xu4nTvA?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash).

Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.