• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Plesk and HTTP2 Rapid Reset

Peter99

Basic Pleskian
Server operating system version
AlmaLinux 8.8 (Sapphire Caracal)
Plesk version and microupdate number
Version 18.0.56
Hi Plesk.

How are we secured by Plesk, against this known HTTP/2 Rapid Reset attacks?
 
Nginx by default sets the following values for the parameters:
When the default parameters are used, nginx instance isn’t affected by the vulnerability. Plesk doesn’t configure these parameters. Therefore, default Plesk instance isn’t affected.

If you have values other than the default, the probability of a successful attack increases as these values increase. For that case you can apply a custom patch mentioned in the article HTTP/2 Rapid Reset Attack Impacting F5 NGINX Products - NGINX (build the newest source-code from nginx repository), but it’s on your own risk, we didn’t test that. The best workaround now is set the values to default.
 
Many of theconfig files carry warnings about not editing - can you confirm the correct place in Plesk to configure those values on a server wide basis?

Thank you for your prompt response to this matter Peter! :)
 
If you did not change these parameters before, there is no need to add them anywhere. If you changed them before, either remove them or replace the values by the defaults. If you wish to add them anyway, the right place is /etc/nginx/nginx.conf - or - you can create a new configuration file in /etc/nginx/conf.d/, ending on .conf, because that will be included in the http section of nginx.conf.
 
If you did not change these parameters before, there is no need to add them anywhere. If you changed them before, either remove them or replace the values by the defaults. If you wish to add them anyway, the right place is /etc/nginx/nginx.conf - or - you can create a new configuration file in /etc/nginx/conf.d/, ending on .conf, because that will be included in the http section of nginx.conf.
Thank you indeed for a fast reply, Peter!
I just checked 3 of our Debian servers and 2 of our Almalinux server and these parameters seems missing on all servers in the /etc/nginx/nginx.conf
We haven't modified Nginx on any of the servers.
I will attempt to create a new file and add these parameters manually.
 
You do not need to add these parameters if they are not present. The default setting will do.
 
I expect to release a fix for this asap as it can be very dangerous when I read the many articles on this... Seems urgent enough to automatically push an update/fix for this asap.
 
Dubbed “HTTP/2 Rapid Reset,” the flaw requires making patches available for virtually every web server around the world before the problem can be eradicated.

Source: A New Protocol Vulnerability Will Haunt the Web for Years

It needs to be patched apparently. Nginx already updated their repo. DirectAdmin is also pushing an update soon. So I expect Plesk do the same, right?
 
I quickly read trough the Wired article. From what I can gather to article focuses on how the issue can be completely eradicated, which is by fixing the http/2 protocol. It does not mention that the severity depends on the implementation of the protocol by vendors. LiteSpeed for example stated that they are not affected. Nginx stated that the issue posses limited threat as long as the default values are used for the keepalive_requests and http2_max_concurrent_streams parameters.

As for DA, I could not find any statement from them. But their ngnix/apache/litespeed implementation might be different from Plesk, witch might necessitates a patch for them.
 
The next stable Nginx version will be available April 2023. The current patches done in Nginx are on their "mainstream" version, which is a similar construction like the new RHEL "stream" - open heart surgery and banana principle where the product ripens after delivery to the user. The current Plesk security team assessment is that only if the two above mentioned variables are set to higher values, the risk increases. The higher the values, the higher the risk. You should be good with the default setting. But feel free to lower the values, if you prefer.

Plesk has the luxury of having experts specifically trained in security. We have to rely on the advice. It is not likely that the experts will be wrong. If new findings emerge, we will of course take action.
 
Back
Top