{"document":{"category":"csaf_vex","csaf_version":"2.1","notes":[{"category":"summary","text":"Palo Alto Networks PSIRT provided VEX document. This document is autogenerated.","title":"Impact of Rapid Reset and HTTP/2 DoS Vulnerabilities (CVE-2023-44487, CVE-2023-35945)"}],"publisher":{"category":"vendor","name":"Palo Alto Networks","namespace":"https://security.paloaltonetworks.com"},"title":"Palo Alto Networks PSIRT provided VEX document: CVE-2023-44487","distribution":{"text":"Copyright © 2024 Palo Alto Networks. All rights reserved.","tlp":{"label":"CLEAR","url":"https://www.first.org/tlp/"}},"tracking":{"current_release_date":"2026-04-11T00:26:28.473Z","generator":{"date":"2026-04-11T00:26:28.473Z","engine":{"name":"vulnogram","version":"0.1.0-rc1"}},"id":"CVE-2023-44487","initial_release_date":"2023-10-11T16:00:00.000Z","revision_history":[{"number":"1","date":"2023-10-11T09:00:00.000Z","summary":"Initial Publication"},{"number":"2","date":"2023-10-18T10:50:00.000Z","summary":"Updated availability of Threat Signature for CVE-2023-44487 and added product status"},{"number":"3","date":"2023-10-25T12:43:00.000Z","summary":"Updated status of Prisma Cloud Compute"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"name":"Palo Alto Networks","category":"vendor","branches":[{"name":"PAN-OS","category":"product_name","branches":[{"category":"product_version","name":"PAN-OS All","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-1"}}]},{"name":"GlobalProtect App","category":"product_name","branches":[{"category":"product_version","name":"GlobalProtect App All","product":{"name":"Palo Alto Networks GlobalProtect App","product_id":"PANW-GlobalProtect-App-1"}}]},{"name":"Prisma Cloud Compute","category":"product_name","branches":[{"category":"product_version","name":"Prisma Cloud Compute All","product":{"name":"Palo Alto Networks Prisma Cloud Compute","product_id":"PANW-Prisma-Cloud-Compute-1"}}]},{"name":"Prisma Cloud","category":"product_name","branches":[{"category":"product_version","name":"Prisma Cloud All","product":{"name":"Palo Alto Networks Prisma Cloud","product_id":"PANW-Prisma-Cloud-1"}}]},{"name":"Cloud NGFW","category":"product_name","branches":[{"category":"product_version","name":"Cloud NGFW All","product":{"name":"Palo Alto Networks Cloud NGFW","product_id":"PANW-Cloud-NGFW-1"}}]},{"name":"Prisma Access","category":"product_name","branches":[{"category":"product_version","name":"Prisma Access All","product":{"name":"Palo Alto Networks Prisma Access","product_id":"PANW-Prisma-Access-1"}}]},{"name":"Cortex XDR","category":"product_name","branches":[{"category":"product_version","name":"Cortex XDR All","product":{"name":"Palo Alto Networks Cortex XDR","product_id":"PANW-Cortex-XDR-1"}}]},{"name":"Cortex XDR Agent","category":"product_name","branches":[{"category":"product_version","name":"Cortex XDR Agent All","product":{"name":"Palo Alto Networks Cortex XDR Agent","product_id":"PANW-Cortex-XDR-Agent-1"}}]}]}]},"vulnerabilities":[{"cve":"CVE-2023-44487","product_status":{"known_not_affected":["PANW-PAN-OS-1","PANW-GlobalProtect-App-1","PANW-Prisma-Cloud-Compute-1","PANW-Prisma-Cloud-1","PANW-Cloud-NGFW-1","PANW-Prisma-Access-1","PANW-Cortex-XDR-1","PANW-Cortex-XDR-Agent-1"]},"notes":[{"category":"description","text":"The Palo Alto Networks Product Security Assurance team is evaluating the recently disclosed denial-of-service (DoS) vulnerabilities in the HTTP/2 protocol including Rapid Reset (CVE-2023-44487) and CVE-2023-35945.\n\nIf HTTP/2 inspection is enabled in PAN-OS, an ongoing distributed denial-of-service (DDoS) attack in inspected traffic will contribute towards the session capacity limit of the firewall. This can result in the intermittent availability of new firewall sessions and is consistent in impact with other volumetric DDoS attacks. Availability of new firewall sessions will recover naturally once the DDoS attack stops. Customers who have enabled Threat prevention ID 40152 (Applications and Threats content update 8765) blocks this attack from happening in inspected HTTP/2 traffic.\n\nPAN-OS firewalls that do not perform HTTP/2 inspection are not impacted in any way.\nPAN-OS firewalls that do not perform decryption are not impacted by the DDoS attack in encrypted network traffic.\nPAN-OS firewall web interface, Captive Portal, GlobalProtect portals, and GlobalProtect gateways are not impacted by these vulnerabilities.\n\nWhile Prisma Cloud Compute includes vulnerable versions of nghttp2 and golang packages, Prisma Cloud Compute software does not have any HTTP/2 web server endpoints and is not impacted by these vulnerabilities."}],"references":[{"category":"external","summary":"NVD - CVE-2023-44487","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44487"},{"category":"self","summary":"Palo Alto Networks Security Advisory CVE-2023-44487","url":"https://security.paloaltonetworks.com/CVE-2023-44487"}],"threats":[{"category":"impact","description":"The Palo Alto Networks Product Security Assurance team is evaluating the recently disclosed denial-of-service (DoS) vulnerabilities in the HTTP/2 protocol including Rapid Reset (CVE-2023-44487) and CVE-2023-35945.\n\nIf HTTP/2 inspection is enabled in PAN-OS, an ongoing distributed denial-of-service (DDoS) attack in inspected traffic will contribute towards the session capacity limit of the firewall. This can result in the intermittent availability of new firewall sessions and is consistent in impact with other volumetric DDoS attacks. Availability of new firewall sessions will recover naturally once the DDoS attack stops. Customers who have enabled Threat prevention ID 40152 (Applications and Threats content update 8765) blocks this attack from happening in inspected HTTP/2 traffic.\n\nPAN-OS firewalls that do not perform HTTP/2 inspection are not impacted in any way.\nPAN-OS firewalls that do not perform decryption are not impacted by the DDoS attack in encrypted network traffic.\nPAN-OS firewall web interface, Captive Portal, GlobalProtect portals, and GlobalProtect gateways are not impacted by these vulnerabilities.\n\nWhile Prisma Cloud Compute includes vulnerable versions of nghttp2 and golang packages, Prisma Cloud Compute software does not have any HTTP/2 web server endpoints and is not impacted by these vulnerabilities."}],"scores":[{"cvss_v3":{"version":"3.1","attackVector":"PHYSICAL","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":0,"baseSeverity":"NONE","vectorString":"CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N"},"products":[]}]}]}