HTTP2 Rapid Reset - CVE-2023-44487

[teb510]

On Oct 10, 2023, a vulnerability (CVE-2023-44487) in the HTTP/2 protocol was announced, impacting a large number of HTTP/2 server implementations. As Kong Gateway supports HTTP2 by default, Kong Gateway is also impacted by this exploit. All versions of Kong Gateway >= 1.4.0 are affected.

We are working on incorporating patches from the upstream Nginx Open Source project and releasing our own patches for affected versions.

You May Not Be Affected If

If you have a load balancer in front of Kong nodes and the traffic between the load balancer and the Kong nodes is unencrypted, then you are not affected. It is not possible to use HTTP/2 over plaintext in Kong.

Additionally, requests arriving through a CDN (Akamai, CloudFlare,CloudFront, etc) are typically protected against this attack through their own mitigation steps.

Suggested Mitigations

While patch versions are being built, Kong suggests the following mitigations that you can apply to your Kong installation to provide protection prior to the patches being available.

Disable HTTP/2 support in Kong

HTTP/2 is enabled by default on the TLS proxy and admin ports of the Gateway, as defined by the configuration options proxy_listen and admin_listen. To disable this support, remove the http2 suffix from the specified port in your Kong configuration (kong.conf/environment variables/values/etc).

For example
Before:

proxy_listen = 0.0.0.0:8000 , 0.0.0.0:8443 http2 ssl reuseport backlog=16384
admin_listen = 127.0.0.1:8001, 127.0.0.1:8444 http2 ssl reuseport backlog=16384

After:

proxy_listen = 0.0.0.0:8000, 0.0.0.0:8443 ssl reuseport backlog=16384
admin_listen = 127.0.0.1:8001, 127.0.0.1:8444 ssl reuseport backlog=16384

Note: While the default behavior is to only allow requests over the Kong Admin API over the loopback interface, it is added here for completeness and instances where the listening address was changed.

If you have any other listeners (for example, status_listen) in kong.conf that are using HTTP/2, disable HTTP/2 by removing the ‘http2’ suffix from those listeners.

Reduce the HTTP/2 keepalive limit

Reduce the value for nginx_http_keepalive_requests in your Kong configuration (kong.conf/environment variables/values/etc) to 100:

nginx_http_keepalive_requests = 100

The default nginx_http_keepalive_requests limit in Kong is 1000. This provides some protection from a possible attack, but lowering this value to 100 can provide further mitigation, by limiting the total number of streams a given client is allowed to to open.

Please note that if you are lowering this value, you may observe some performance degradation in terms of higher latency and lower throughput. You also may observe additional TCP connections, as the number of requests served per connection is lowered.
For most installations serving in the order of thousands of requests per second, the performance impact will not be meaningful.

What’s Next?

As soon as we have updates to share re: patches on CE version of Kong which address this vulnerability we will keep the community updated.

[teb510]

Hello everyone - Kong CE 3.4 has been patched, and we encourage everyone to get to latest. For those of you on 2.8, a mitigation is in place by default as the nginx_http_keepalive_requests still defaults to 100. This is in contrast to the 3.x series, where that limit was increased to 1000. Thank you.