HTTP/2 Rapid Reset (CVE-2023-44487)

On October 10, 2023, a significant vulnerability known as HTTP/2 Rapid Reset (CVE-2023-44487) was disclosed, affecting numerous HTTP/2 servers, including those using Vespa's technology through Jetty. To address this issue, Jetty released version 11.0.17, and Vespa promptly built and deployed version 8.240.5 to Vespa Cloud, ensuring that users of Vespa Cloud were immediately protected without needing to take further action. However, self-hosted users are urged to upgrade to this latest version to safeguard their systems. For further assistance, Vespa provides support through their Slack channel, and additional reading is available on Google's security-focused blog posts, which discuss the mitigation of large-scale DDoS attacks, including the HTTP/2 Rapid Reset attack.