On October 10, 2023, CISA published a notification about an HTTP/2 vulnerability that had been exploited “in the wild” since late August. Service providers using this protocol are presently releasing patches to remediate this vulnerability. This document provides an overview of steps you can take to protect your organization and your third-party network, as well as a summary of our investigation and mitigation efforts.

Description

HTTP/2 is a ubiquitous networking protocol for transferring data between countless online services and consumers. Many common applications use HTTP/2 for performance improvements over previous versions, and as a result this vulnerability could have widespread implications for individuals and organizations of all sizes and industries across the world.

Severity and Impact

CVE-2023-44487 is awaiting severity designation, but it is anticipated that this will be at least a High Risk vulnerability. Patches deployed by server providers should be applied as soon as possible. Other remediation efforts are addressed here.

It is important to quickly assess the impact and risk both internally and within your third-party population. Take action now and follow these steps to assess the potential impact to systems and remediate accordingly.

Step 1: Determine if you are at risk.

If you or a third party are using the HTTP/2 protocol, you may be vulnerable to this CVE.
To assess whether your third parties are vulnerable, customers can access the HTTP/2 Rapid Reset Vulnerability Questionnaire in the Whistic Platform under our Questionnaire Standards Library by clicking here.

Step 2: Immediately patch systems that have been impacted.

Make sure your team is aware of the vulnerability and the subsequent patch releases by applicable vendors.
Determine which applications and infrastructure are using the HTTP/2 protocol.
Update any vulnerable instances of the protocol.

Does this affect Whistic?

As a result of our investigation, we have determined that this vulnerability does not directly impact Whistic. While Whistic uses HTTP/2, investigation of our current server versions & protections show that we are not affected by this vulnerability. We have a structured approach to vulnerability identification and remediation using technologies in both the development lifecycle and in our stage and production environments.