EBO impact for CVE-2023-44487

Notifications

Building Automation Knowledge Base

Schneider Electric Building Automation Knowledge Base is a self-service resource to answer all your questions about EcoStruxure Building suite, Andover Continuum, Satchwell, TAC…

Invite a Co-worker

Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.

Send Invite Cancel

Related Forums

Intelligent Devices Forum

Previous Next

Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague

Back to Building Automation Knowledge Base

1421 Views

Link copied. Please paste this link to share this article on your social media post.

Trying to translate this page to your language?

Select your language from the translate dropdown in the upper right.

Translate to: English

Issue

A flaw was found in handling multiplexed streams in the HTTP/2 protocol. A client can repeatedly make a request for a new multiplex stream and immediately send an RST_STREAM frame to cancel it. This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption(CVE-2023-44487 from Redhat). All versions 2.13 and higher with HTTP/2 enabled are affected: 2.13, 3.0, 4.0, and 5.0.

Product Line

EcoStruxure Building Operation

Environment

Building Operation Enterprise Server
Building Operation Enterprise Central
Building Operation Workstation
Building Operation Webstation
SmartX AS-P Server
SmartX AS-B Server

Cause

HTTP vulnerability raised security concerns for EBO

Resolution

EBO isn't affected by the impacted protocol since EBO doesn't utilize HTTP 2.0 and 3.0.

To The Top!

EBO impact for CVE-2023-44487

Related Forums

Intelligent Devices Forum