[syslog-ng] Vulnerability making News - HTTP/2 Rapid Reset DDoS CVE-2023-44487

[László Várady]

Hi,

syslog-ng doesn't use HTTP/2 in its core, so we are not directly affected
by CVE-2023-44487.

The gRPC plugin of syslog-ng may be affected indirectly through the gRPC
libraries we use, but so far I haven't found any official comment on this
by the gRPC developers other than the following fix in their Go library:
https://github.com/grpc/grpc-go/pull/6703

In summary, if you don't use the OpenTelemetry or Loki plugins of
syslog-ng, syslog-ng is not affected by the above CVE.
If you use either the OpenTelemetry or the Loki plugins, please wait for
the gRPC announcement whether their C++ library is affected or not.

--
László Várady

On Mon, Oct 16, 2023 at 10:10 AM Mayekar, PrachiX <prachix.mayekar at intel.com>
wrote:

> Hi Team,
>
>
>
> Are syslog products vulnerable to this vulnerability ?
>
>
>
> Need to know if Syslog is affected:
>
>
>
> *CVE-2023-44487 is a vulnerability in the HTTP/2 protocol that was
> recently used to launch DDoS attacks. The vulnerability allows for denial
> of service (DoS) because request cancellation can reset many streams
> quickly.
> https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
> <https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/>*
>
>
>
> *Thanks & Regards,*
>
> *Prachi Mayekar*
>
> ITI-Network Services
>
> A Contingent Worker at Intel
>
> For assistance, please visit us at https://it.intel.com
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20231016/3e966257/attachment.htm>