<style>p { margin: 0 0 10px; }h1, h2, h3 { margin: 20px 0 10px; }h4, h5, h6 { margin: 10px 0 10px; }</style><h1 id="the-vulnerability">The Vulnerability</h1> <p>The official statement from NIST is available <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-44487">HERE</a></p> <p>The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.</p> <h1 id="how-this-affects-halo">How this affects Halo</h1> <p>This vulnerability exists in the HTTP/2 protocol and is not specific to Halo, its components, or service providers.</p> <h2 id="the-halo-hosted-platform">The Halo Hosted Platform</h2> <p>Halo is hosted primarily in AWS utilising AWS Elastic Load Balancing and AWS WAF on all public resources. These are provided as a service by AWS are protected from DDOS by AWS.</p> <p>Their statement is available <a href="https://aws.amazon.com/security/security-bulletins/AWS-2023-011/">HERE</a></p> <h2 id="halo-on-prem">Halo On-Prem</h2> <p>The Halo application should be hosted behind Web Application Firewalls as best practice, as should all applications. Other restrictions will also mitigate attacks such as IP restriction, private access etc.</p> <p>This should be managed by the client following industry best practices as this is a protocol level attack at the server rather than the application.</p>