Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

HTTP/2 Rapid reset attack mitigation in Liferay PaaS (CVE-2023-44487)

Written By

Jorge García Jiménez

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).

Issue

  • If you are using HTTP/2, nginx and below tomcat versions, you could suffer from HTTP/2 rapid reset attack (CVE-2023-44487)
    • from 8.5.0 to 8.5.93;
    • from 9.0.0-M1 to 9.0.80;
    • from 10.1.0-M1 to 10.1.13.

Environment

  • Liferay PaaS with Liferay DXP 7.2.

Resolution

  • Tomcat version that comes with last 7.2 image is still vulnerable, it will be updated as soon as possible and new images will be published. Tomcat versions not affected by this issue: 8.5.94, 9.0.81 and 10.1.14
  • In order to mitigate the attack, you can configure below variables in your webserver service (nginx):
  • You can also adjust below variables in order to mitigate the issue, the values of this variables should be adjusted taking
    • limit_conn number of connections from a single client. It should be adjusted taking into account the balance between security and performance
    • limit_req number of processed requests that will be attended from a single client. It should be adjusted taking into account the balance between security and performance

Additional Information

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?