Hi, syslog-ng doesn't use HTTP/2 in its core, so we are not directly affected by CVE-2023-44487. The gRPC plugin of syslog-ng may be affected indirectly through the gRPC libraries we use, but so far I haven't found any official comment on this by the gRPC developers other than the following fix in their Go library: https://github.com/grpc/grpc-go/pull/6703 In summary, if you don't use the OpenTelemetry or Loki plugins of syslog-ng, syslog-ng is not affected by the above CVE. If you use either the OpenTelemetry or the Loki plugins, please wait for the gRPC announcement whether their C++ library is affected or not. -- László Várady On Mon, Oct 16, 2023 at 10:10 AM Mayekar, PrachiX <prachix.mayekar@intel.com> wrote:
Hi Team,
Are syslog products vulnerable to this vulnerability ?
Need to know if Syslog is affected:
*CVE-2023-44487 is a vulnerability in the HTTP/2 protocol that was recently used to launch DDoS attacks. The vulnerability allows for denial of service (DoS) because request cancellation can reset many streams quickly. https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-d... <https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/>*
*Thanks & Regards,*
*Prachi Mayekar*
ITI-Network Services
A Contingent Worker at Intel
For assistance, please visit us at https://it.intel.com
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq