initial draft of CVE-2023-44487 blog post (#1695)

* initial draft of CVE-2023-44487 blog post
* address Eliza's feedback and lint

Signed-off-by: William Morgan <[email protected]>

linkerd.io/content/blog/2023/1011-cve-2023-44487.md

@@ -0,0 +1,130 @@
+---
+title: 'How Linkerd became invulnerable to CVE-2023-44487, a HTTP/2 DDOS vulnerability, six months prior to its disclosure'
+author: 'william'
+date: 2023-10-12T00:00:00+00:00
+thumbnail: /images/djim-loic-ft0-Xu4nTvA-unsplash.jpg
+draft: false
+featured: false
+slug: linkerd-cve-2023-44487
+tags: [Linkerd]
+---
+
+![A fast-moving clock](/images/djim-loic-ft0-Xu4nTvA-unsplash.jpg)
+
+Yesterday, [CVE-2023-44487](https://nvd.nist.gov/vuln/detail/CVE-2023-44487), a
+DDOS vulnerability in many HTTP/2 implementations, was disclosed. This is a very
+interesting attack involving the specifics of how HTTP/2 multiplexes concurrent
+requests on the same TCP connection, and there are several great writeups on how
+it works—see e.g. Cloudflare's [HTTP/2 Rapid Reset: deconstructing the
+record-breaking
+attack](https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/)
+and Google's [How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS
+attack](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)
+for details of how this attack works and the consequences.
+
+We're happy to report that due to Linkerd's internal security policies and the
+security-awareness and rapid response of the Rust community, all recent versions
+of Linkerd are resilient to this class of DDOS attack. In fact, Linkerd has been
+resilient to these attacks since April of this year!
+
+Specifically, versions of Linkerd that are resilient to CVE-2023-44487 include:
+
+* All versions of Linkerd 2.14.x
+* Linkerd 2.13.1 and all later minor versions of Linkerd 2.13
+* Linkerd 2.12.5 and all later minor versions of Linkerd 2.12
+
+Linkerd solved this vulnerability 6 months ago thanks in part to our dependency
+handling procedures, but mostly thanks to the the security-mindedness of the
+Rust community.
+
+Let's see just how this feat happened.
+
+## Linkerd is a security-first project
+
+It's no understatement to say that Linkerd treats security as a critical
+requirement. Organizations around the world rely on Linkerd for everything from
+protecting sensitive customer medical and financial data, to scheduling COVID
+tests, to building 911 call centers. For some people, Linkerd is quite literally
+a life-or-death project.
+
+Part of that approach is the choice of technologies like Rust, of course, which
+allow us to avoid an entire class of buffer overflow exploits and other
+vulnerabilities that are [endemic to languages like C and
+C++](https://www.zdnet.com/article/chrome-70-of-all-security-bugs-are-memory-safety-issues/).
+
+But another, just as important part is simply how seriously the project takes
+potential security vulnerabilities. Tracing the path to resolution for
+CVE-2023-44487 is a great example of that. Here's how it happened:
+
+This issue was first tracked as a vulnerability in the Rust community as
+[RUSTSEC-2023-0034](https://rustsec.org/advisories/RUSTSEC-2023-0034.html) on
+April 14, 2023. At that point it had actually [already been fixed in
+`h2`](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected),
+the underlying library that Linkerd uses to handle HTTP/2 requests, as a change
+that had gone out [on April 12th, two days
+earlier](https://github.com/hyperium/h2/pull/668).
+
+The fix was published in [`h2`
+v0.3.17](https://rustsec.org/advisories/RUSTSEC-2023-0034.html). Linkerd
+automatically flagged that dependency [on April
+13th](https://github.com/linkerd/linkerd2-proxy/commit/67306bc7ba19286352762362e4e1876ce5924442)
+through [GitHub's Dependabot](https://github.com/dependabot), the automated
+dependency tool that Linkerd uses to ensure it stays up-to-date with critical
+dependencies. The Linkerd team published the update as [proxy release
+v2.198.1](https://github.com/linkerd/linkerd2-proxy/releases/tag/release%2Fv2.198.1).
+
+On April 13th, this new proxy version [was pulled into the main Linkerd
+repo](https://github.com/linkerd/linkerd2/commit/19a404fd196e251e969ac6c4a552a3c7af698dc5).
+On April 14th, we pushed it to [Linkerd
+2.13.1](https://github.com/linkerd/linkerd2/releases/tag/stable-2.13.1)—two days
+after the underlying fix in `h2`, and the same day it was recognized as an
+vulnerability in the Rust ecosystem. The fix also went out on
+[edge-23.4.2](https://github.com/linkerd/linkerd2/releases/tag/edge-23.4.2) on
+April 21st, and from there it was in all future and stable releases.
+
+In short: **two days after the fix was made in the underlying Rust HTTP/2 library,
+it was already in the hands of Linkerd users as a stable release, and all
+Linkerd releases since April have been protected against this vulnerability.**
+While this vulnerability is making the news this week, Linkerd adopters have
+been protected for almost 6 months.
+
+## h2, hyper, and more
+
+But what is `h2` anyways? The [h2](https://github.com/hyperium/h2) library and
+its companion [hyper](https://hyper.rs/) are two of the foundational libraries
+that Linkerd uses to handle HTTP/2 requests in the proxy. HTTP/2 is used
+extensively by Linkerd: not only does Linkerd proxy application-initiated HTTP/2
+and gRPC (which uses HTTP/2) requests, Linkerd also transparently upgrades all
+HTTP/1 communication in between two meshed pods to HTTP/2! This is part of
+Linkerd's magic: by using `h2`, we can can dramatically reduce TCP connection
+usage and improve performance and resiliency for inter-service HTTP traffic
+without the application needing to do anything.
+
+Like much of the Rust async networking stack, these libraries represent the
+pinnacle of modern network programming. The Linkerd team has been heavily
+involved in `h2` for years. [Buoyant](https://buoyant.io), the primary sponsor
+of Linkerd, also sponsored significant portions of h2 development, and Linkerd
+maintainers occupy the third and fourth spots on the [`h2` contributor
+leaderboard](https://github.com/hyperium/h2/graphs/contributors).
+
+But ultimately it is to the credit of `h2` maintainer Sean McArthur that
+[CVE-2023-44487 was addressed six months
+ago](https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected),
+allowing Linkerd to maintain its commitment to security and simplicity for its
+users everywhere around the globe. A heartfelt thanks to you, Sean.
+
+## Linkerd is for everyone
+
+Linkerd is a graduated project of the [Cloud Native Computing
+Foundation](https://cncf.io/). Linkerd is [committed to open
+governance.](/2019/10/03/linkerds-commitment-to-open-governance/) If you have
+feature requests, questions, or comments, we'd love to have you join our
+rapidly-growing community! Linkerd is hosted on
+[GitHub](https://github.com/linkerd/), and we have a thriving community on
+[Slack](https://slack.linkerd.io/), [Twitter](https://twitter.com/linkerd), and
+the [mailing lists](/community/get-involved/). Come and join the fun!
+
+(Photo by [Djim
+Loic](https://unsplash.com/@loic?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash)
+on
+[Unsplash](https://unsplash.com/photos/ft0-Xu4nTvA?utm_content=creditCopyText&utm_medium=referral&utm_source=unsplash).)