help request: What's the action for CVE-2023-44487 ?

[purekeeper]

Description

A new vulnerability for http2, do we have any update fot this?
GHSA-qppj-fm5r-hxr3

Environment

• APISIX version (run apisix version):
• Operating system (run uname -a):
• OpenResty / Nginx version (run openresty -V or nginx -V):
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant:
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[moonming]

@purekeeper thanks for raising this.

1. Apache APISIX is implemented based on NGINX in HTTP2. The default value of this parameter of NGINX http://nginx.org/r/keepalive_requests is 1000, and APISIX does not modify it. In other words, sending a maximum of 1,000 requests on a connection will be disconnected, which can mitigate the attack caused by this CVE. You can also enable APISIX's limit-conn, limit-req and other plug-ins for further protection.
2. APISIX Runtime has been patched with NGINX's commit: nginx/nginx@6ceef19, and a APISIX version will be released soon.

[monkeyDluffy6017]

considered resolved