CVE-2023-44487

[He-Pin]

Description
A client might overload the server by issue frequent RST frames. This can cause a massive amount of load on the remote system and so cause a DDOS attack.

References
https://www.cve.org/CVERecord?id=CVE-2023-44487
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/

I just read this, not sure if akka-http is affected.
Netty's fix is netty/netty@58f75f6

[patriknw]

Thanks for the notice. We are aware of this and have started to look into it.

This is a well know potential issue for all http2 libraries so no worries, but otherwise we would prefer that security related issues are reported according to https://akka.io/security/

[utkuaydn]

Hi @patriknw, will this fix also be released for 10.2.x?

[johanandren]

We will not do any further backports of fixes to Akka HTTP 10.2