Your trust and security are of utmost importance to us, and we continue to work diligently to ensure that your data remains safe and secure. Today, we are pleased to announce that we have successfully mitigated the vulnerabilities identified in CVE-2023-44487.
What do Netlify customers need to do?
At this time there is no action required on the part of Netlify customers.
What did Netlify do to remediate this CVE?
A substantial portion of our services received protection from our cloud service providers, which took proactive measures by deploying updates to address the vulnerability before it became publicly known. For services requiring manual attention, we achieved successful patching of all critical systems within a 12-hour time frame from the moment patches became available.
Understanding CVE-2023-44487
CVE-2023-44487, as cataloged by the Common Vulnerabilities and Exposures (CVE) system, is a denial of service (DoS) vulnerability that impacts any internet exposed HTTP/2 endpoints and is known as the HTTP/2 Rapid Reset Attack. In a Rapid Reset Attack, an attacker sends a large number of HTTP/2 reset frames in a very short period of time to a target server. These reset frames are a legitimate part of the HTTP/2 protocol and are used to signal the abrupt termination of a stream. However, when sent in rapid succession in a coordinated attack, they can overwhelm the server’s resources and disrupt its normal operation.
The goal of a Rapid Reset Attack is to exhaust the server’s resources, such as CPU or memory, by forcing it to process a large number of reset frames. This can lead to a denial of service (DoS) condition, where legitimate users are unable to access the server or its services due to the excessive resource consumption caused by the attack.
CVE-2023-44487 impacts several packages. Please refer to: https://www.cve.org/CVERecord?id=CVE-2023-44487 for additional information.
Our pledge to security
We understand that your confidence in our services relies on our actions. We pledge to uphold the highest standards of professionalism and security in safeguarding your data and your organization. We wholeheartedly believe that our commitment is reflected in our actions, not just our words.
Stay informed
For updates or inquiries regarding security matters, our dedicated customer support team remains at your service. Feel free to reach out to us if you require further information or assistance by visiting http://www.netlify.com/support.
Thank you for choosing Netlify. We deeply appreciate your trust and remain steadfast in our commitment to maintaining your data and organizational security.