VTS23-014
HTTP/2 Vulnerability (CVE-2023-44487)
Revision History
- 1.0: October 12, 2023: Initial version
- 1.1 October 20, 2023: Interim update
- 1.2 October 24, 2023: Interim update
- 1.3 October 31, 2023: Interim update
- 1.4: November 8, 2023: Interim update
- 1.4: November 14, 2023: Interim update
Products: All
Summary
Veritas is aware of the recently announced vulnerability in the HTTP/2 protocol (https://nvd.nist.gov/vuln/detail/CVE-2023-44487). All Veritas Product Security and Development teams are actively reviewing our software to determine if the vulnerability exists in any of our products.
Current Vulnerability Status for CVE-2023-44487
| Veritas Product | Status | Notes |
|---|---|---|
| Access Appliance | Not Vulnerable | Vulnerable code not in execute path |
| Alta Archiving | Not Vulnerable | Component not present |
| Alta Backup as a Service | Not Vulnerable | Component not present |
| Alta Capture | Not Vulnerable | |
| Alta Data Protection | Not Vulnerable | |
| Alta Discovery | Not Vulnerable | Component not present |
| Alta Recovery Vault | Not Vulnerable | |
| Alta SaaS Protection | Not Vulnerable | Component not present |
| Alta Surveillance | Not Vulnerable | Component not present |
| Alta View | Not Vulnerable | |
| Backup Exec | Not Vulnerable | |
| Data Insight | Not Vulnerable | Component not present |
| Desktop and Laptop Option | Not Vulnerable | Vulnerable code not in execute path |
| eDiscovery Platform | Not Vulnerable | |
| Enterprise Vault | Microsoft Mitigation Guidance– See Below * | Inline Mitigations Already Exist |
| InfoScale | Not Vulnerable | |
| Merge1 | Microsoft Mitigation Guidance– See Below * | Inline Mitigations Already Exist |
| NetBackup | Not Vulnerable | Component not present |
| NetBackup Appliance | Not Vulnerable | Component not present |
| NetBackup Flex Appliance | Not Vulnerable | |
| NetBackup Flex Scale | Not Vulnerable | Component not present |
| NetBackup IT Analytics | Not Vulnerable | Component not present |
| NetBackup OpsCenter | Not Vulnerable | Component not present |
| NetBackup Quick Assist | Not Vulnerable | |
| NetBackup Resiliency Platform | Not Vulnerable | |
| NetBackup Self Service | Not Vulnerable | |
| NetBackup Snapshot Manager | Not Vulnerable | |
| Veritas Advanced Supervision | Not Vulnerable | |
| Veritas InfoScale Operations Manager (VIOM) | Not Vulnerable | |
| Veritas System Recovery | Microsoft Mitigation Guidance– See Below * | Inline Mitigations Already Exist |
* Please see Microsoft guidance for this CVE: CVE-2023-44487 - Security Update Guide - Microsoft - MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack