Lighttpd

There has been some discussion in IRC Libera #lighttpd. Briefly, CVE-2023-44487 describes a denial of service (DoS) attack that affects all HTTP/2 implementations, though HTTP/2 servers are potentially more affected than HTTP/2 clients. How much an implementation is affected depends on the implementation and on a specific site usage of the server. CVE-2023-44487 does not appear to be more destructive to lighttpd than other DoS attacks. lighttpd HTTP/2 implementation processes HTTP/2 frames in batches, and so after parsing the HEADERS frame, lighttpd will not further dispatch HTTP/2 stream requests that receive a RST_STREAM in the same batch of processed HTTP/2 frames (an attack described by CVE-2023-44487). Additionally, lighttpd enforces SETTINGS_MAX_CONCURRENT_STREAMS, which lighttpd sets to 8, and once that limit is reached, new requests will not be handled until an outstanding request has completed, including cleaning up any resources opened by lighttpd for that outstanding request. If excessive streams are encountered after lighttpd receives a SETTINGS acknowledgment from the client for the SETTINGS frame lighttpd sends after the HTTP/2 server preface, lighttpd rejects the excess streams, sending RST_STREAM with HTTP/2 error code REFUSED_STREAM for each excess stream.

Is lighttpd affected by CVE-2023-44487

Not catastrophically. However, any DoS attack uses resources. lighttpd will consume additional resources processing HTTP/2 frames sent by the bot farm running the attack. lighttpd will also continue serving legitimate requests from other clients.