On Tuesday, August 13th at 10 AM Pacific Time (1700UTC), Netflix publicly disclosed a series of vulnerabilities found by Jonathan Looney that impact many implementations of the HTTP2 protocol. A vulnerability found by Piotr Sikora of Google was also released at the same time. Akamai is grateful to the reporters for their work and pre-release coordination.
About the Vulnerabilities
All of the HTTP2 vulnerabilities referenced above are resource exhaustion vulnerabilities, which would impact the availability of the attacked systems and services, thus not compromising the confidentiality or integrity of the data contained within. Vectors like these have been seen in the past when exploited on other protocols, like HTTP2's predecessor HTTP with the Slowloris and Zero Window connection stressing.
Rather than us going into detail on each of the vulnerabilities, please see the write up provided by Netflix.
|
Vulnerability |
CVE |
Reporters |
|
Data Dribble |
Jonathan Looney, Netflix |
|
|
Ping Flood |
Jonathan Looney, Netflix |
|
|
Resource Loop |
Jonathan Looney, Netflix |
|
|
Reset Flood |
Jonathan Looney, Netflix |
|
|
Settings Flood |
Jonathan Looney, Netflix |
|
|
0-Length Headers Leak (Nginx variant) |
Jonathan Looney, Netflix |
|
|
Internal Data Buffering |
Jonathan Looney, Netflix |
|
|
Empty Frames Flood |
Piotr Sikora, Google |
Akamai Impact
Some Akamai services were impacted by this vulnerability, but all customer services have been patched. Akamai recommends that all Internet connected HTTP2 services be patched for these vulnerabilities as soon as possible. CDN customers that use Akamai and have up-to-date SiteShield lists should be protected from these vulnerabilities while their origin infrastructure is patched.
Article Link: https://blogs.akamai.com/sitr/2019/08/http2-vulnerabilities.html