KB-2266 Information about the HTTP/2 Rapid Reset DDoS Vulnerability (CVE-2023-44487)

On October 10, 2023, CISA released a security advisory for all organizations utilizing HTTP/2 services concerning a Denial of Service (DoS) vulnerability exploited in the wild from August 2023 through October 2023.

Upon assessing the Appian platform against all details of the CVE, we can confirm that the Appian platform is affected by CVE-2023-44487 but is not currently vulnerable to exploitation due to the following compensating controls: 

• Per an AWS security advisory released on October 10, 2023, Amazon Cloudfront is able to mitigate HTTP request floods. All Appian instances within the Appian Cloud environment are protected by AWS load balancers, providing a measure of protection from public exposure to the DoS vulnerability’s attack vector.

Appian’s Engineering teams are currently working to upgrade all instances of Apache Web Server, Apache Tomcat, nginx, and Eclipse Jetty to versions containing the remediation for CVE-2023-44487.

Self-managed customers will need to evaluate their implementation of the Appian platform in their environment and identify if there are mitigating controls in place for this vulnerability, such as an AWS load balancer with DoS protections. 

Exploitation:

As of October 13, 2023, Appian has received no indications of CVE-2023-44487 vulnerability exploitation on any Appian instances.

Additional Notes:

The following CVE was released with additional information on the scope of the vulnerability:

CVE-2023-44487 (“HTTP/2 Rapid Reset Attack Vulnerability”)

Supporting Documentation:

• https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
• https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
  
  

Affected Versions

This article applies to all supported versions of Appian.

Last reviewed: October 13, 2023