Multiple HTTP/2 implementations are vulnerable to denial-of-service attacks

Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service (DoS) attacks.

Netflix discovered several resource exhaustion vectors affecting a variety of third-party HTTP/2 implementations. These attack vectors can be used to launch DoS attacks against servers that support HTTP/2 communication.

Netflix worked with Google and CERT/CC to coordinate disclosure to the Internet community.

In most cases, an immediate workaround is to disable HTTP/2 support. However, this may cause performance degradation, and it might not be possible in all cases. To obtain software fixes, please contact your software vendor.

A number of vendors have announced patches to correct this suboptimal behaviour.

Further information regarding HTTP/2 can be found here.

Further information regarding this vulnerability can be found here.

Vendor Information

Please see this matrix of affected products and vulnerabilities.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: