Hi,

syslog-ng doesn't use HTTP/2 in its core, so we are not directly affected by CVE-2023-44487.

The gRPC plugin of syslog-ng may be affected indirectly through the gRPC libraries we use, but so far I haven't found any official comment on this by the gRPC developers other than the following fix in their Go library:

https://github.com/grpc/grpc-go/pull/6703

In summary, if you don't use the OpenTelemetry or Loki plugins of syslog-ng, syslog-ng is not affected by the above CVE.

If you use either the OpenTelemetry or the Loki plugins, please wait for the gRPC announcement whether their C++ library is affected or not.

László Várady

On Mon, Oct 16, 2023 at 10:10 AM Mayekar, PrachiX <prachix.mayekar@intel.com> wrote:

Hi Team,

Are syslog products vulnerable to this vulnerability ?

Need to know if Syslog is affected:

CVE-2023-44487 is a vulnerability in the HTTP/2 protocol that was recently used to launch DDoS attacks. The vulnerability allows for denial of service (DoS) because request cancellation can reset many streams quickly. https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/

Thanks & Regards,

Prachi Mayekar

ITI-Network Services

A Contingent Worker at Intel

For assistance, please visit us at https://it.intel.com

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq