Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Is the LoadMaster vulnerable to CVE-2023-44487?

 

Information

 

Summary:

Is the LoadMaster vulnerable to CVE-2023-44487?

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: HTTP/2

Question/Problem Description:

Is the LoadMaster vulnerable to this?

Steps to Reproduce:  
Error Message:  
Defect Number: LM-5180
Enhancement Number:  
Cause:  
Resolution:
  • The LoadMaster is theoretically Vulnerable. This is a weakness in the HTTP/2 protocol itself. It is mitigated on LoadMaster by the low HTTP/2 concurrency value used in the implementation and by the fact that HTTP/2 is supported only on the Client side of the connection.
  • Also, in HTTP/2 Pass-Through mode, LoadMaster simply passes on the HTTP/2 traffic to the real server, and so isn't directly vulnerable to this exploit; of course, the real servers behind LoadMaster remain vulnerable in this scenario.   
  • Whether an ADC is used or not, it’s vital to implement mitigations directly on HTTP/2 servers to protect against this DoS exploit. A detailed explanation of how this vulnerability is exploited and can be mitigated can be found here.
Workaround:  
Notes: LoadMaster Vulnerabilities

Was this article helpful?
0 out of 0 found this helpful

Comments