Product Releases
October 12, 2023
2 min read

Kong Releases Product Updates to Address Novel HTTP/2 'Rapid Reset' DDoS Vulnerability

Tom Brightbill
Group Product Manager

At Kong, the security and reliability of our products have always been paramount. In light of the recent discovery of the Novel HTTP/2 ‘Rapid Reset’ DDoS attack (CVE-2023-44487), we have taken steps to proactively address potential issues. Today we’re providing guidance on how our users can best safeguard their systems. 

What is the HTTP/2 Rapid Reset Attack?

This vulnerability exploits the 'concurrent streaming' capability of HTTP/2. In this attack, a client can flood the server with a very high number of HTTP/2 stream requests that are immediately reset. This causes the server to spend a lot of resources cleaning up these canceled streams. These types of requests are legal in HTTP/2 and a malicious client can defeat existing flood prevention checks with minimal work.

The servers end up spending too much time in cleaning up the canceled streams, thus preventing them from servicing valid traffic, causing a Denial of Service.

We urge customers with HTTP/2-enabled servers to liaise with their web server providers to ensure timely application of essential patches.

Immediate Action Taken by Kong

All supported versions of Kong Gateway, Kong Mesh, and Kuma have been patched and released. The following versions contain a fix for the HTTP/2 rapid reset attack:

  • Kong Gateway Enterprise: 2.8.4.4, 3.1.1.6, 3.2.2.5, 3.3.1.1, 3.4.1.1
  • Kong Gateway OSS: 3.4.2
  • Kong Mesh: 2.0.8, 2.1.7, 2.2.5, 2.3.3, 2.4.3
  • Kuma: 2.0.8, 2.1.7, 2.2.5, 2.3.3, 2.4.3

For users using the Docker official image for Kong OSS, we have submitted an updated version and are waiting for the fix to be merged. To update immediately, please switch to the kong/kong image. For customers using Kong Enterprise images, the updates are available immediately. 

Mitigation Steps

If you cannot immediately update to the latest patches containing our fixes, we recommend the following mitigation steps:

  1. Disable HTTP/2 Support in Kong
  2. Reduce the HTTP/2 keepalive limit

You can find more information about the details of implementing these mitigation measures in the Kong knowledge base.

At Kong, we appreciate the trust you place in us and in our products. We are committed to ensuring the security of our community and will continue to monitor and address vulnerabilities proactively. Lastly, we highly recommend that all of our users evaluate their systems, apply the necessary patches, and follow the mitigation steps provided.