linkerd
diff --git a/‎linkerd.io/content/blog/2023/1011-cve-2023-44487.md
+104 b/‎linkerd.io/content/blog/2023/1011-cve-2023-44487.md
+104
diff --git a/‎linkerd.io/static/images/djim-loic-ft0-Xu4nTvA-unsplash.jpg
60 KB b/‎linkerd.io/static/images/djim-loic-ft0-Xu4nTvA-unsplash.jpg
60 KB
@@ -0,0 +1,104 @@
+---
+title: 'How Linkerd responded to CVE-2023-44487, the HTTP/2 DDOS vulnerability, six months ago'
+author: 'william'
+date: 2023-10-11T00:00:00+00:00
+thumbnail: /images/djim-loic-ft0-Xu4nTvA-unsplash.jpg
+draft: false
+featured: false
+slug: linkerd-cve-2023-44487
+tags: [Linkerd]
+---
+
+![A fast-moving block](/images/djim-loic-ft0-Xu4nTvA-unsplash.jpg)
+
+Yesterday, [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487), a
+DDOS vulnerability in many HTTP/2 implementations, was disclosed. This was a
+very interesting attack and there have been several great writeups on how it
+works—see Cloudflare's [HTTP/2 Rapid Reset: deconstructing the record-breaking
+attack](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)
+and Google's [How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS
+attack](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)
+for many details of how this attack works and the consequences.
+
+We're happy to report that due to Linkerd's internal security policies and the
+security-awareness and rapid response of the Rust community, all recent versions
+of Linkerd are resilient to this class of DDOS attack. (In fact, Linkerd can
+actually help users who have vulnerable ingress proxies—simple mesh them with
+Linkerd and have it handle HTTP/2 traffic.)
+
+Versions of Linkerd that are resilient to CVE-2023-44487 include:
+
+* All versions of Linkerd 2.14.x
+* Linkerd 2.13.1 and all later minor versions of Linkerd 2.13
+* Linkerd 2.12.5 and all later minor versions of Linkerd 2.12
+
+Astute Linkerd adopters will realize that these versions are all as of April
+2023, six months ago. This is thanks to our rigorous vulnerability mitigation
+procedures, and to the security-mindedness and fast response of the Rust
+community.
+
+Let's see just how this feat happened.
+
+## Linkerd is a security-first project
+
+It's no understatement to say that Linkerd treats security as a critical
+requirement. Organizations around the world rely on Linkerd for everything from
+protecting sensitive customer medical and financial data, to scheduling COVID
+tests, to building 911 call centers. For some people, Linkerd is quite literally
+a life-or-death project.
+
+Part of that approach is the choice of technologies like Rust, of course, which
+allow us to avoid an entire class of buffer overflow exploits and other
+vulnerabilities that are endemic to languages like C and C++.
+
+But another, just as important part is simply how seriously the project takes
+potential security vulnerabilities. Tracing the path to resolution for
+CVE-2023-44487 is a great example of that. Here's how it happened:
+
+This issue was first tracked as a vulnerability in the Rust community as
+[RUSTSEC-2023-0034](https://rustsec.org/advisories/RUSTSEC-2023-0034.html) on
+April 14, 2023. At that point it had actually already been fixed in h2, the
+underlying library that Linkerd uses to parse HTTP/2 requests, as a change that
+had gone out [on April 12th, two days
+earlier](https://github.com/hyperium/h2/pull/668).
+
+The fix was published in [h2
+v0.3.17](https://rustsec.org/advisories/RUSTSEC-2023-0034.html). Linkerd
+automatically pulled in that dependency [on April
+13th](https://github.com/linkerd/linkerd2-proxy/commit/67306bc7ba19286352762362e4e1876ce5924442)
+via [GitHub's Dependabot](https://github.com/dependabot), the automated
+dependency tool that Linkerd uses to ensure it stays up-to-date with critical
+dependencies, where it was published as [proxy release
+v2.198.1](https://github.com/linkerd/linkerd2-proxy/releases/tag/release%2Fv2.198.1).
+
+On April 13th, the proxy version [was pulled into the main Linkerd
+repo](https://github.com/linkerd/linkerd2/commit/19a404fd196e251e969ac6c4a552a3c7af698dc5).
+On April 14th, we pushed it to [Linkerd
+2.13.1](https://github.com/linkerd/linkerd2/releases/tag/stable-2.13.1)—two days
+after the underlying fix in h2, and the same day it was recognized as an
+vulnerability in the Rust ecosystem. The fix also went out on
+[edge-23.4.2](https://github.com/linkerd/linkerd2/releases/tag/edge-23.4.2) on
+April 21st, and from there it was in all future and stable releases.
+
+In short: two days after the fix was made in the underlying Rust HTTP/2 library,
+it was already in the hands of Linkerd users as a stable release, and all
+Linkerd releases since April have been protected against this vulnerability.
+While this vulnerability is making the news this week, Linkerd adopters have
+been protected for almost 6 months.
+
+## Linkerd is for everyone
+
+Linkerd is a graduated project of the [Cloud Native Computing
+Foundation](https://cncf.io/). Linkerd is [committed to open
+governance.](/2019/10/03/linkerds-commitment-to-open-governance/) If you have
+feature requests, questions, or comments, we'd love to have you join our
+rapidly-growing community! Linkerd is hosted on
+[GitHub](https://github.com/linkerd/), and we have a thriving community on
+[Slack](https://slack.linkerd.io/), [Twitter](https://twitter.com/linkerd), and
+the [mailing lists](/community/get-involved/). Come and join the fun!
+
+(Photo by [Djim
+Loic](https://unsplash.com/@loic?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash)
+on
+[Unsplash](https://unsplash.com/photos/ft0-Xu4nTvA?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash).
+