Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN515 _____________________________________________________________________ DATE : 14/08/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running HTTP/2 implementations. ===================================================================== https://kb.cert.org/vuls/id/767506 _____________________________________________________________________ HTTP/2 implementations are vulnerable to "MadeYouReset" DoS attack through HTTP/2 control frames Vulnerability Note VU#767506 Original Release Date: 2025-08-13 | Last Revised: 2025-08-14 Overview A vulnerability has been discovered within many HTTP/2 implementations allowing for denial of service (DoS) attacks through HTTP/2 control frames. This vulnerability is colloquially known as "MadeYouReset" and is tracked as CVE-2025-8671. Some vendors have assigned a specific CVE to their products to describe the vulnerability, such as CVE-2025-48989, which is used to identify Apache Tomcat products affected by the vulnerability. MadeYouReset exploits a mismatch caused by stream resets between HTTP/2 specifications and the internal architectures of many real-world web servers. This results in resource exhaustion, and a threat actor can leverage this vulnerability to perform a distributed denial of service attack (DDoS). This vulnerability is similar to CVE-2023-44487, colloquially known as "Rapid Reset." Multiple vendors have issued patches or responses to the vulnerability, and readers should review the statements provided by vendors at the end of this Vulnerability Note and patch as appropriate. Description A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). This vulnerability is tracked as CVE-2025-8671 and is known colloquially as "MadeYouReset." This vulnerability is similar to CVE-2023-44487, colloquially known as "Rapid Reset", which abused client-sent stream resets. HTTP/2 introduced stream cancellation - the ability of both client and server to immediately close a stream at any time. However, after a stream is canceled, many implementations keep processing the request, compute the response, but don't send it back to the client. This creates a mismatch between the amount of active streams from the HTTP/2 point of view, and the actual active HTTP requests the backend server is processing. By opening streams and then rapidly triggering the server to reset them using malformed frames or flow control errors, an attacker can exploit a discrepancy created between HTTP/2 streams accounting and the servers active HTTP requests. Streams reset by the server are considered closed, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent HTTP/2 requests on a single connection. The flaw largely stems from many implementations of the HTTP/2 protocol equating resetting streams to closing them; however, in practice, the server will still process them. An attacker can exploit this to continually send reset requests, where the protocol is considering these reset streams as closed, but the server will still be processing them, causing a DoS. HTTP/2 does support a parameter called SETTINGS_MAX_CONCURRENT_STREAMS, which defines a set of currently active streams per session. In theory, this setting would prevent an attacker from overloading the target server, as they would max out the concurrent stream counter for their specific malicious session. In practice, when a stream is reset by the attacker, the protocol considers it no longer active and no longer accounts for it within this counter. Impact The main impact of this vulnerability is its potential usage in DDoS attacks. Threat actors exploiting the vulnerability will likely be able to force targets offline or heavily limit connection possibilities for clients by making the server process an extremely high number of concurrent requests. Victims will have to address either high CPU overload or memory exhaustion depending on their implementation of HTTP/2. Solution Various vendors have provided patches and statements to address the vulnerability. Please review their statements below. CERT/CC recommends that vendors who use HTTP/2 in their products review their implementation and limit the number/rate of RST_STREAMs sent from the server. Additionally, please review the supplemental materials provided by the reporters, which include additional mitigations and other potential solutions here: https://galbarnahum.com/made-you-reset Acknowledgements Thanks to the reporters, Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University. This document was written by Christopher Cullen. Vendor Information AMPHP Affected Notified: 2025-05-28 Updated: 2025-08-13 Statement Date: June 22, 2025 CVE-2025-36047 Unknown CVE-2025-48989 Unknown CVE-2025-54500 Unknown CVE-2025-55163 Unknown CVE-2025-8671 Affected Vendor Statement We have not received a statement from the vendor. Apache Tomcat Affected Notified: 2025-05-28 Updated: 2025-08-13 Statement Date: August 13, 2025 CVE-2025-36047 Unknown CVE-2025-48989 Affected References: https://tomcat.apache.org/ https://www.cve.org/CVERecord?id=CVE-2025-48989 CVE-2025-54500 Unknown CVE-2025-55163 Unknown CVE-2025-8671 Affected Vendor Statement: Severity: important Affected versions: - Apache Tomcat 11.0.0-M1 through 11.0.9 - Apache Tomcat 10.1.0-M1 through 10.1.43 - Apache Tomcat 9.0.0.M1 through 9.0.107 - Apache Tomcat 8.5.0 through 8.5.100 unknown Description: Improper Resource Shutdown or Release vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue. Credit: Gal Bar Nahum, Tel Aviv University (finder) References: https://tomcat.apache.org/ https://www.cve.org/CVERecord?id=CVE-2025-48989 Vendor Statement Severity: important Affected versions: Apache Tomcat 11.0.0-M1 through 11.0.9 Apache Tomcat 10.1.0-M1 through 10.1.43 Apache Tomcat 9.0.0.M1 through 9.0.107 Apache Tomcat 8.5.0 through 8.5.100 unknown Description: Improper Resource Shutdown or Release vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue. Credit: Gal Bar Nahum, Tel Aviv University (finder) References https://tomcat.apache.org/ https://www.cve.org/CVERecord?id=CVE-2025-48989 Eclipse Foundation Affected Notified: 2025-05-28 Updated: 2025-08-13 Statement Date: June 04, 2025 CVE-2025-36047 Unknown CVE-2025-48989 Unknown CVE-2025-54500 Unknown CVE-2025-55163 Unknown CVE-2025-8671 Affected Vendor Statement We have not received a statement from the vendor. Fastly Affected Notified: 2025-05-28 Updated: 2025-08-13 Statement Date: August 13, 2025 CVE-2025-36047 Unknown CVE-2025-48989 Not Affected CVE-2025-54500 Unknown CVE-2025-55163 Not Affected CVE-2025-8671 Affected Vendor Statement Fastly implemented a fix for this vulnerability in release 25.17 of Fastly’s internal fork of H2O. The fix was deployed and fully implemented across Fastly on the 2nd of June 2025. References https://www.fastlystatus.com/incident/377810 gRPC Affected Notified: 2025-05-28 Updated: 2025-08-13 Statement Date: May 28, 2025 CVE-2025-36047 Unknown CVE-2025-48989 Unknown CVE-2025-54500 Unknown CVE-2025-55163 Unknown CVE-2025-8671 Affected Vendor Statement We have not received a statement from the vendor. Mozilla Affected Notified: 2025-05-28 Updated: 2025-08-13 Statement Date: June 02, 2025 CVE-2025-36047 Unknown CVE-2025-48989 Unknown CVE-2025-54500 Unknown CVE-2025-55163 Unknown CVE-2025-8671 Affected Vendor Statement Many of Mozilla's websites and services run on affected platforms and will need to be patched. The software Mozilla ships, primarily client software like Firefox, is not affected. Netty Affected Notified: 2025-05-28 Updated: 2025-08-13 Statement Date: May 30, 2025 CVE-2025-36047 Unknown CVE-2025-48989 Unknown CVE-2025-54500 Unknown CVE-2025-55163 Unknown CVE-2025-8671 Affected Vendor Statement We have not received a statement from the vendor. SUSE Linux Affected Notified: 2025-05-28 Updated: 2025-08-13 Statement Date: August 13, 2025 CVE-2025-36047 Unknown CVE-2025-48989 Affected CVE-2025-54500 Unknown CVE-2025-55163 Unknown CVE-2025-8671 Affected Vendor Statement We have not received a statement from the vendor. Varnish Software Affected Notified: 2025-05-28 Updated: 2025-08-13 Statement Date: August 07, 2025 CVE-2025-36047 Unknown CVE-2025-48989 Unknown CVE-2025-54500 Unknown CVE-2025-55163 Unknown CVE-2025-8671 Affected Vendor Statement The following releases of Varnish Cache and Varnish Enterprise are vulnerable to the issue described in CVE-2025-8671. * Varnish Cache releases 5.x, 6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x, 7.6.0, 7.6.1, 7.6.2, 7.6.3, 7.7.0, 7.7.1 * Varnish Cache 6.0 LTS series up to and including 6.0.14 * Varnish Enterprise by Varnish Software 6.0.x up to and including 6.0.14r4 The issue has been patched in the following releases: * Varnish Cache 7.6.4 (released 2025-08-13) * Varnish Cache 7.7.2 (released 2025-08-13) * Varnish Cache 6.0 LTS version 6.0.15 (released 2025-08-13) * Varnish Enterprise by Varnish Software version 6.0.14r5 (released 2025-06-19) At the coordinated time of disclosure, there will be information pages specific to Varnish Cache and Varnish Enterprise published at: * Varnish Cache: https://varnish-cache.org/security/VSV00017.html * Varnish Enterprise: https://docs.varnish-software.com/security/VSV00017/ References https://varnish-cache.org/security/VSV00017.html https://docs.varnish-software.com/security/VSV00017/ Wind River Affected Notified: 2025-05-28 Updated: 2025-08-13 Statement Date: May 30, 2025 CVE-2025-36047 Unknown CVE-2025-48989 Unknown CVE-2025-54500 Unknown CVE-2025-55163 Unknown CVE-2025-8671 Affected Vendor Statement Product(s) are affected or potentially affected by virtue of upstream components that are included with the product(s). View all 118 vendors References https://github.com/galbarnahum/MadeYouReset https://galbarnahum.com/made-you-reset https://deepness-lab.org/publications/madeyoureset/ https://www.imperva.com/blog/madeyoureset-turning-http-2-server-against-itself/ https://www.cve.org/CVERecord?id=CVE-2025-8671 https://www.rfc-editor.org/rfc/rfc9113.html#name-rst_stream https://www.rfc-editor.org/rfc/rfc9113.html#section-6.5.2 https://github.com/tempesta-tech/tempesta/issues/2439 https://github.com/tempesta-tech/tempesta/issues/2451 https://seanmonstar.com/blog/hyper-http2-didnt-madeyoureset/ https://blog.litespeedtech.com/2025/08/13/litespeed-not-affected-by-madeyoureset/ Other Information CVE IDs: CVE-2025-36047 CVE-2025-48989 CVE-2025-54500 CVE-2025-55163 CVE-2025-8671 API URL: VINCE JSON | CSAF Date Public: 2025-08-13 Date First Published: 2025-08-13 Date Last Updated: 2025-08-14 11:21 UTC Document Revision: 13 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================