HTTP2 Rapid Reset - CVE-2023-44487

On Oct 10, 2023, a vulnerability (CVE-2023-44487) in the HTTP/2 protocol was announced, impacting a large number of HTTP/2 server implementations. As Kong Gateway supports HTTP2 by default, Kong Gateway is also impacted by this exploit. All versions of Kong Gateway >= 1.4.0 are affected.

We are working on incorporating patches from the upstream Nginx Open Source project and releasing our own patches for affected versions.

Please follow this discussion for updates and suggested mitigations.