Publication Date: 2023/10/10 05:00 AM PDT
AWS is aware of CVE-2023-44487, also known as "HTTP/2 Rapid Reset Attack," related to HTTP/2 capable web servers where rapid stream generation and cancellation can result in additional load which could lead to a Denial of Service. AWS infrastructure is designed with various protections to address Layer 7 request floods, however, we have implemented additional mitigations to address this issue. AWS also recommends customers who operate their own HTTP/2 capable web servers verify with their web server vendor to determine if they are affected and, if so, install the latest patches from their respective vendors to address this issue.
Customers can learn more about this in the AWS Security blog post, titled "How AWS Protects Customers from DDoS Events".
Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.