At Kong, the security and reliability of our products have always been paramount. In light of the recent discovery of the Novel HTTP/2 ‘Rapid Reset’ DDoS attack (CVE-2023-44487), we have taken steps to proactively address potential issues. Today we’re providing guidance on how our users can best safeguard their systems.
This vulnerability exploits the 'concurrent streaming' capability of HTTP/2. In this attack, a client can flood the server with a very high number of HTTP/2 stream requests that are immediately reset. This causes the server to spend a lot of resources cleaning up these canceled streams. These types of requests are legal in HTTP/2 and a malicious client can defeat existing flood prevention checks with minimal work.
The servers end up spending too much time in cleaning up the canceled streams, thus preventing them from servicing valid traffic, causing a Denial of Service.
We urge customers with HTTP/2-enabled servers to liaise with their web server providers to ensure timely application of essential patches.
All supported versions of Kong Gateway, Kong Mesh, and Kuma have been patched and released. The following versions contain a fix for the HTTP/2 rapid reset attack:
For users using the Docker official image for Kong OSS, we have submitted an updated version and are waiting for the fix to be merged. To update immediately, please switch to the kong/kong image. For customers using Kong Enterprise images, the updates are available immediately.
If you cannot immediately update to the latest patches containing our fixes, we recommend the following mitigation steps:
You can find more information about the details of implementing these mitigation measures in the Kong knowledge base.
At Kong, we appreciate the trust you place in us and in our products. We are committed to ensuring the security of our community and will continue to monitor and address vulnerabilities proactively. Lastly, we highly recommend that all of our users evaluate their systems, apply the necessary patches, and follow the mitigation steps provided.
Kong customers include some of the most forward-thinking, tech-savvy organizations in the world. And while we’re proud to help them innovate through traditional APIs, the reality is that their ambitions don’t stop there. Increasingly, our customers a
Today we're excited to announce Kong Gateway 3.9! Since unveiling Kong Gateway 3.8 at API Summit 2024 just a few months ago, we’ve been busy making important updates and improvements to Kong Gateway. This release introduces new functionality arou
Kong Gateway Enterprise 3.5 is packed with security features to support the use cases demanded by our enterprise customers through major improvements in Secrets Management integrations and our Open-ID Connect (OIDC) plugin. Additionally, we’ve a
With Kong Ingress Controller, when your Control Plane was hosted in Kong Konnect, and you were using Kubernetes Gateway API, your dataplane, routes, and services were in read-only mode. When using Kong Ingress Controller with Kubernetes Gateway API
As API ecosystems grow more complex, maintaining visibility and security shouldn't be a hurdle. Kong Gateway 3.13 simplifies these challenges with expanded OpenTelemetry support and more flexible orchestration. These new capabilities not only make y
A quick refresher: Kong Cloud Gateways Kong Cloud Gateways are fully managed, high-performance data planes running on customer-dedicated infrastructure, orchestrated and operated by Kong through Kong Konnect . Customers can choose between: Serverle
"The whole is more than the sum of its parts." Aristotle is credited with this quote, and it's true in the world of data. Legacy systems typically approached their role in a limited manner. Each system was intended to be used by a certain user set