Is proxmox patched or vulnerable to the attack. See : CVE-2023-44487 https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
No, our API in general uses HTTP/1.1. Only Proxmox Backup server has support for HTTP 2.2, and there it's only accessible to users or API tokens that one gave access to making or reading backups. And even if one has the relevant access, which normally means already some higher trust relation to that user, those two special endpoints cannot really be abused by rapid reset, as this "attack" works with requesting data from a server, not sending some to it, the writer endpoint is unaffected by definition. Misusing the reader one has a higher chance, but still adds some cost to the attacker and is not trivially possible – and still, as this requires read access and knowing chunk IDs, which requires reading some indexes, we see it as non-problematic, especially as there's built-in rate-limiting available too. tl;dr: Proxmox VE -> no, only HTTP/1.1 Proxmox Mail Gateway -> no, only HTTP/1.1 Proxmox Backup Server -> in general no as all but two restricted endpoints are HTTP/1.1 only. From the restricted endpoint only one could be misused, but not cheaply so we do not see this as real issue.
For the record: The main author of the underlying HTTP and HTTP/2 stack hyper[0], which is used by Proxmox Backup Server, is stating that it's not affected[1] in the version we use. So even privileged users cannot misuse the backup reader endpoint in any way with this method, leaving all Proxmox projects completely unaffected by this issue. [0]: https://hyper.rs/ [1]: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
