HTTP/2 MadeYouReset Denial-of-Service Vulnerability

A denial-of-service vulnerability known as 'MadeYouReset' has been identified in several HTTP/2 implementations, including Apache Tomcat, Netty, Jetty, IBM WebSphere, and Varnish. This vulnerability allows attackers to consume excessive server resources by exploiting the way HTTP/2 stream resets are handled. When a stream is reset, it is considered closed at the protocol level, but backend processing often continues. Attackers can take advantage of this by rapidly resetting streams, causing the server to process an unbounded number of concurrent requests on a single connection. The vulnerability is similar to the 'Rapid Reset' vulnerability exploited in 2023, but 'MadeYouReset' bypasses existing mitigations by using protocol-compliant frames to trigger server-side stream resets.

Impact

Exploitation of this vulnerability leads to high server resource consumption, causing denial-of-service conditions. Affected servers may experience increased CPU usage, memory exhaustion, or both, with some implementations crashing due to out-of-memory conditions.

Reproduction

The vulnerability can be reproduced by opening multiple HTTP/2 streams on a server and then sending malformed WINDOW_UPDATE frames that violate the HTTP/2 specification. This can be done using a custom-built tool that automates the process, such as the one available in the 'MadeYouReset' GitHub repository. The tool can be configured to target the server with a high volume of requests, effectively overwhelming its resources.

Remediation

Users are advised to upgrade to versions of Apache Tomcat, Netty, Jetty, IBM WebSphere, and Varnish that have been patched for this vulnerability. For Varnish, the vulnerability can also be mitigated by disabling HTTP/2 support.