Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

HTTP/2 Rapid reset attack mitigation in Liferay PaaS (CVE-2023-44487)

Written By

Jorge García Jiménez

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).

Issue

  • If you are using HTTP/2, nginx and below tomcat versions, you could suffer from HTTP/2 rapid reset attack (CVE-2023-44487)
    • from 8.5.0 to 8.5.93;
    • from 9.0.0-M1 to 9.0.80;
    • from 10.1.0-M1 to 10.1.13.

Environment

  • Liferay PaaS with Liferay DXP 7.2.

Resolution

  • Tomcat version that comes with last 7.2 image is still vulnerable, it will be updated as soon as possible and new images will be published. Tomcat versions not affected by this issue: 8.5.94, 9.0.81 and 10.1.14
  • In order to mitigate the attack, you can configure below variables in your webserver service (nginx):
  • You can also adjust below variables in order to mitigate the issue, the values of this variables should be adjusted taking
    • limit_conn number of connections from a single client. It should be adjusted taking into account the balance between security and performance
    • limit_req number of processed requests that will be attended from a single client. It should be adjusted taking into account the balance between security and performance

Additional Information

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?