CVE-2023-44487 Impact of Rapid Reset and HTTP/2 DoS Vulnerabilities (CVE-2023-44487, CVE-2023-35945)
The Palo Alto Networks Product Security Assurance team is evaluating the recently disclosed denial-of-service (DoS) vulnerabilities in the HTTP/2 protocol including Rapid Reset (CVE-2023-44487) and CVE-2023-35945.
PAN-OS firewall web interface, GlobalProtect portals, and GlobalProtect gateways are not impacted by these vulnerabilities.
The impact of these issues on inspection of decrypted HTTP/2 traffic in PAN-OS software is under investigation.
This is a developing product security incident and this advisory will be updated as more information becomes available.
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | Under investigation | |
| GlobalProtect App | None | all |
| PAN-OS | Under investigation | |
| Prisma Access | Under investigation | |
| Prisma Cloud | None | all |
| Prisma Cloud Compute | None | all |
CVSSv3.1 Base Score:0 (CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)
Palo Alto Networks is not aware of any malicious exploitation or customer reports of this issue in any of our products. However, this issue has been exploited in the wild since August 2023.
CWE-400 Uncontrolled Resource Consumption
No software updates are required at this time.
Vulmon