You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our DependencyCheck reported the vulnerability CVE-2023-44487 for some of our components. Obviously, a lot of HTTP/2-related components are affected.
Also, Microsoft describes in "MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack" some instructions on how to proceed for some of their components. AFAIU these instructions target web servers, like Kestrel (and IIS?).
But it's not clear to me, whether a .NET FW self-hosted WebApi is also vulnerable and needs some reaction. At least the described workarounds didn't deactivate the HTTP/2 support. On the other side, maybe it's fine to apply the OS patches only to be safe.
All together I'm lost so far. These are my questions summarized:
Does the vulnerability affect .NET FW self-hosted WebApi?
If yes:
Does the OS patching mitigate this issue?
Any configuration options possible to deactivate HTTTP/2 in our scenario?
The text was updated successfully, but these errors were encountered:
Our DependencyCheck reported the vulnerability CVE-2023-44487 for some of our components. Obviously, a lot of HTTP/2-related components are affected.
Also, Microsoft describes in "MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack" some instructions on how to proceed for some of their components. AFAIU these instructions target web servers, like Kestrel (and IIS?).
But it's not clear to me, whether a .NET FW self-hosted WebApi is also vulnerable and needs some reaction. At least the described workarounds didn't deactivate the HTTP/2 support. On the other side, maybe it's fine to apply the OS patches only to be safe.
All together I'm lost so far. These are my questions summarized:
The text was updated successfully, but these errors were encountered: